Tor: Difference between revisions

From NixOS Wiki
imported>Fadenb
No edit summary
Layer-09 (talk | contribs)
m Made Tips and Tricks titles bigger
 
(36 intermediate revisions by 14 users not shown)
Line 1: Line 1:
= Warning =
<div style="border: 1px solid #D33; background: #FFEBEB; padding: 30px; border-radius: 5px; margin: 10px 0px; display: flex; align-items: center;">
{{warning|text=If you rely on Tor to provide anonymity you should ensure have a complete understanding of all parts involved!}}
    <div style="color: #D33; font-size: 40px; margin-right: 15px; background: #FFEBEB; display: flex; line-height: 0;  align-items: center;">⚠</div>
    <div style="color: #D33; font-size: 15px; font-style: normal; font-weight: 400; line-height: normal; text-align: left;"><strong>Tor is not a panacea.</strong> To achieve effective anonymity with Tor, you must understand its <strong>caveats</strong> and adjust your <strong>browsing habits</strong>. The Tor Project provides a crucial [https://support.torproject.org/faq/staying-anonymous/ list of tips] that you should read before using Tor.</div>
</div>


= How Tor is set up by default in NixOS =
<strong>Tor (The Onion Router)</strong> is a free, open-source software that enables anonymous internet communication. It protects users' privacy by routing traffic through a global network of volunteer-operated servers, masking IP addresses and online activities. Tor's key features include <strong>anonymity</strong>, <strong>privacy</strong>, and <strong>censorship circumvention</strong>. It supports hidden services with <strong>.onion domains</strong> for additional anonymity.


By default Tor in NixOS provides 2 different SOCKS proxies.
Tor works by encrypting data multiple times and sending it through a series of nodes (entry, middle, and exit), each decrypting a layer. This process, called <strong>onion routing</strong>, ensures no single point knows both the origin and destination.


9050 is a "slow" SOCKS port which can be used for email, git and pretty much any other protocol
Commonly used by <strong>journalists</strong>, <strong>activists</strong>, and <strong>privacy-conscious individuals</strong>, Tor helps bypass censorship and protect against surveillance. However, it can be slower than direct connections and has been associated with illegal activities due to its anonymity.
but HTTP(S) since a new circuit will be created for each destination IP. This is a safe
default which complicates identity corellation attacks, although isn't sufficient to
completely thwart them.


9063 is the "fast" SOCKS port suitable for a browser. A new circuit is established every 10 minutes.
For more information, you can visit the official [https://www.torproject.org/ Tor Project website].


== torsocks, torsocks-faster vs tsocks difference ==
== Installation ==


Both torsocks and tsocks wrappers route traffic via Tor.
==== Using nix-shell ====
<syntaxhighlight lang="bash" start="3">
nix-shell -p tor-browser
</syntaxhighlight>


However, neither of the wrappers reliably prevent an application from establishing
==== Using Global Configuration ====
connections outside of Tor network, but merely ensure that non-malicious code has
<syntaxhighlight lang="text">
its direct connection attempts routed via Tor. Some applications, such as those
environment.systemPackages = [
using KDE KIO framework, don't make direct connections and instead use kdeinit4
  pkgs.tor-browser
to spawn worker processes, rendering the wrappers useless.
];
</syntaxhighlight>After modifying your configuration, apply the changes by running:<syntaxhighlight lang="bash">
sudo nixos-rebuild switch
</syntaxhighlight>


For more security, you need to run an application inside a virtual machine and
==== Using Home Configuration ====
configure its networking to be routed via Tor only.
<syntaxhighlight lang="text">
home.packages = [
  pkgs.tor-browser
];
</syntaxhighlight>After updating your configuration, apply the changes by running:<syntaxhighlight lang="bash">
home-manager switch
</syntaxhighlight>


torsocks is a bit more secure because it blackholes UDP traffic and private IP traffic,
== Configuration ==
such as LAN traffic.


You should use torsocks where possible. Use torsocks-faster/fast port/Privoxy for HTTP(due to performance)
==== Basic ====
and protocols which break if used from several IPs. Examples: ICQ login requires contacting different servers
and checks that it is done from the same IP; FTP transfers are performed via separate connection
which must originate from the same IP.


tsocks is the weakest wrapper which is nevertheless necessary if your application needs to make local
<syntaxhighlight lang="nix">
connections or makes DNS queries in a way not handled by torsocks. Example: Kopete's XMPP plugin
services.tor = {
only works with tsocks and obviously leaks DNS queries.
  enable = true;
  openFirewall = true;
};
</syntaxhighlight>


== tsocks as a "guard" wrapper ==
==== Advanced ====
<syntaxhighlight lang="nix">
services.tor = {
  enable = true;


Some applications have native support for HTTP/SOCKS proxies, and it is tempting to use it.
  # Disable GeoIP to prevent the Tor client from estimating the locations of Tor nodes it connects to
However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy
  enableGeoIP = false;
settings or settings getting lost. Using torsocks wrapper can be more reliable.


An alternative approach is use both tsocks and built-in proxy support. This way, if the application's proxy
  # Enable Torsocks for transparent proxying of applications through Tor
support fails, the connection is likely to be caught by tsocks and if you run the application without
  torsocks.enable = true;
tsocks by mistake, the connections are still likely to be proxied.


== Privoxy ==
  # Enable the Tor client
  client = {
    enable = true;
  };


By default, privoxy is enabled if you enable Tor client functionality and configured to route
  # Enable and configure the Tor relay
to the fast SOCKS port.
  relay = {
    enable = true;
    role = "relay";  # Set the relay role (e.g., "relay", "bridge")
  };


== KDE and Tor ==
  # Configure Tor settings
  settings = {
    Nickname = "YourNickname"; 
    ContactInfo = "your-email@example.com";


In KDE, proxy server configuration is set for all applications at once.
    # Bandwidth settings
You should set the SOCKS proxy to Tor's default 9050 port, and set HTTP proxy to Privoxy(port 8118).
    MaxAdvertisedBandwidth = "100 MB"; 
Without Privoxy, KDE apps using either KHTML or WebKit KPart such as Konqueror, Rekonq, KTorrent, Akregator
    BandWidthRate = "50 MB"; 
would become nearly unusable and cause excessive load to the Tor network.
    RelayBandwidthRate = "50 MB"; 
    RelayBandwidthBurst = "100 MB";


Another possibility is to run "tsocks kdeinit4", which would cause kdeinit4 to respawn in a wrapped state.
    # Restrict exit nodes to a specific country (use the appropriate country code)
All KDE applications started after this, will be wrapped with tsocks.
    ExitNodes = "{ch} StrictNodes 1"
   
    # Reject all exit traffic
    ExitPolicy = "reject *:*"; 


=== Kopete ===
    # Performance and security settings
    CookieAuthentication = true; 
    AvoidDiskWrites = 1;
    HardwareAccel = 1; 
    SafeLogging = 1;
    NumCPUs = 3; 


Kopete makes direct connections and ignores KDE settings. Kopete torification
    # Network settings
dependins on what plugins you use. XMPP requires tsocks. ICQ requires torsocks-faster.
    ORPort = [443];
  };
};


=== KDE PIM ===
# Operating a Snowflake proxy helps others circumvent censorship. Safe to run.
services.snowflake-proxy = {
  enable = true;
  capacity = 10;
};
</syntaxhighlight>


KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between your mailboxes.
The Tor relay will require some days to advertise in the network, to the [https://metrics.torproject.org/rs.html relay index] and start generating traffic. You can query metrics about your relay on the relay index page using the name or email from the settings.


== How to see what's going on, and work around bans ==
In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor.


Vidalia is convenient for troubleshooting and changing circuits should your
== Tips and Tricks ==
current exit node be banned by a particular site.
=== Location of Option ===
Vidalia needs an active control port:
The global options are listed on [https://mynixos.com/search?q=tor MyNixOS].  
<pre>
  services.tor.controlPort = 9051;
</pre>


Vidalia allows you to change Tor configuration on the fly, which you should
=== Relay Management ===
avoid doing and instead use NixOS config to control your Tor instance.
Tor relays are servers that help anonymize internet traffic by routing it through a series of nodes. Each relay in the Tor network plays a crucial role in maintaining the privacy and security of users by ensuring that no single point can trace the origin and destination of the data. The primary purpose of Tor relays is to facilitate anonymous communication and protect users from network surveillance and traffic analysis.
The only useful features are "new Identity" and "network map".


If you do change something else by accident, you will have to manually edit
'''Types of Relays'''
Vidalia's configuration file ~/.vidalia/vidalia.conf and replace
* '''Entry (Guard) Relays:''' These are the first relays that Tor clients connect to. They are responsible for receiving traffic from the user and passing it to the middle relays. Entry relays are chosen carefully to ensure stability and reliability.
all "Changed = true" with "Changed = false", otherwise Vidalia and NixOS
* '''Middle Relays:''' These relays pass traffic between the entry and exit relays. They add an additional layer of encryption and help obscure the path of the data.
will fight for the control of the Tor service process.
* '''Exit Relays:''' These are the final relays that traffic passes through before reaching its destination. Exit relays decrypt the last layer of encryption and send the data to the intended recipient. They are crucial for accessing non-Tor websites and services.
 
'''Performance Considerations'''
* '''Bandwidth:''' The speed and performance of the Tor network depend on the bandwidth provided by the relays. Higher bandwidth relays can handle more traffic and improve overall network performance.
* '''Latency:''' Due to the multiple layers of encryption and the routing through several relays, Tor can introduce latency, making it slower than direct internet connections.
* '''Load Balancing:''' The Tor network uses load balancing to distribute traffic evenly across relays, preventing any single relay from becoming a bottleneck.
 
'''Security Risks'''
* '''Malicious Relays:''' Some relays may be operated by malicious actors attempting to intercept or manipulate traffic. The Tor network mitigates this risk through its layered encryption, but users should remain cautious.
* '''Exit Relay Monitoring:''' Since exit relays decrypt the final layer of encryption, they can potentially monitor unencrypted traffic. Users should use end-to-end encryption (e.g., HTTPS) to protect their data.
* '''Correlation Attacks:''' Adversaries with the ability to monitor both the entry and exit points of the Tor network may attempt to correlate traffic patterns and de-anonymize users.
 
'''Legal Issues'''
* '''Jurisdiction:''' Tor relays operate in various jurisdictions, each with its own legal framework. Relay operators should be aware of local laws and regulations regarding data privacy and internet usage.
* '''Liability:''' Exit relay operators may face legal scrutiny if their relays are used for illegal activities. It is important for operators to understand the potential legal implications and take appropriate measures to protect themselves.
 
=== Client Bridge ===
<div style="border: 1px solid #D33; background: #FFEBEB; padding: 30px; border-radius: 5px; margin: 10px 0px; display: flex; align-items: center;">
    <div style="color: #D33; font-size: 40px; margin-right: 15px; background: #FFEBEB; display: flex; line-height: 0;  align-items: center;">⚠</div>
    <div style="color: #D33; font-size: 15px; font-style: normal; font-weight: 400; line-height: normal; text-align: left;">Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor is likely to result in imperfect anonymity and is unsafe.</div>
</div>
 
Tor can be enabled as a system service by enabling options {{nixos:option|services.tor.enable}}. Configuration of tor service is an example of [https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules Freeform module], so you can pass not only explicitly supported {{nixos:option|services.tor.settings}}, but all other [https://2019.www.torproject.org/docs/tor-manual.html.en torrc] options. For example, client bridge config can be set like this:
 
<syntaxhighlight lang="nix">
services.tor.settings = {
      UseBridges = true;
      ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird";
      Bridge = "obfs4 IP:ORPort [fingerprint]"
};
</syntaxhighlight>
 
By default, Tor in NixOS provides one SOCKS proxy on port 9050. Port 9050 is a "slow" SOCKS port which can be used for email, git, and pretty much any other protocol except HTTP(S). This is a safe default which complicates identity correlation attacks, although it isn't sufficient to completely thwart them.
 
By also enabling {{nixos:option|services.tor.client.enable}}, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.
 
=== Sandboxing ===
 
You can also run the [[Tor Browser in a Container]].
 
Alternatively, Tor can be configured together with the [[Firejail#Torify_application_traffic|Firejail]] sandboxing solution.
 
=== Faster Reconnects on Network Switch ===
Using [[Systemd/networkd/dispatcher]] it is possible to restart the Tor daemon every time a network reconnect is performed. This avoids having to wait for Tor network timeouts and reestablishes a new connection faster.
 
'''Guard Wrappers'''
Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.
 
An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.
 
=== KDE Integration ===
'''KDE Proxy Configuration'''
In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).
 
Without Privoxy, KDE applications using either KHTML or WebKit KPart (such as Konqueror, Rekonq, KTorrent, Akregator) would become nearly unusable and cause excessive load to the Tor network.
 
Another possibility is to run <tt>tsocks kdeinit4</tt>, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.
 
'''Kopete'''
Kopete makes direct connections and ignores KDE settings. Kopete torification depends on what plugins you use. XMPP requires <tt>tsocks</tt>. ICQ requires <tt>torsocks-faster</tt>.
 
'''KDE PIM'''
KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.
 
=== DNS over Tor ===
<syntaxhighlight lang="nix">
services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};
 
networking.nameservers = [ "127.0.0.1" ];
</syntaxhighlight>
 
Please refer to [https://wiki.archlinux.org/title/Tor#TorDNS ArchWiki] for details.
 
== References ==
 
# https://support.torproject.org/tbb/tbb-9
# https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules
# https://2019.www.torproject.org/docs/tor-manual.html.en
# https://wiki.archlinux.org/title/Tor#TorDNS
# https://mynixos.com/search?q=tor
 
 
[[Category:Networking]]
[[Category:Applications]]
[[Category:Server]]
[[Category:Security]]
[[Category:Privacy]]

Latest revision as of 17:47, 4 July 2024

Tor is not a panacea. To achieve effective anonymity with Tor, you must understand its caveats and adjust your browsing habits. The Tor Project provides a crucial list of tips that you should read before using Tor.

Tor (The Onion Router) is a free, open-source software that enables anonymous internet communication. It protects users' privacy by routing traffic through a global network of volunteer-operated servers, masking IP addresses and online activities. Tor's key features include anonymity, privacy, and censorship circumvention. It supports hidden services with .onion domains for additional anonymity.

Tor works by encrypting data multiple times and sending it through a series of nodes (entry, middle, and exit), each decrypting a layer. This process, called onion routing, ensures no single point knows both the origin and destination.

Commonly used by journalists, activists, and privacy-conscious individuals, Tor helps bypass censorship and protect against surveillance. However, it can be slower than direct connections and has been associated with illegal activities due to its anonymity.

For more information, you can visit the official Tor Project website.

Installation

Using nix-shell

nix-shell -p tor-browser

Using Global Configuration

environment.systemPackages = [
  pkgs.tor-browser
];

After modifying your configuration, apply the changes by running:

sudo nixos-rebuild switch

Using Home Configuration

home.packages = [ 
  pkgs.tor-browser
];

After updating your configuration, apply the changes by running:

home-manager switch

Configuration

Basic

services.tor = {
  enable = true;
  openFirewall = true;
};

Advanced

services.tor = {
  enable = true; 

  # Disable GeoIP to prevent the Tor client from estimating the locations of Tor nodes it connects to
  enableGeoIP = false;

  # Enable Torsocks for transparent proxying of applications through Tor
  torsocks.enable = true;

  # Enable the Tor client
  client = {
    enable = true;
  };

  # Enable and configure the Tor relay
  relay = {
    enable = true;
    role = "relay";  # Set the relay role (e.g., "relay", "bridge")
  };

  # Configure Tor settings
  settings = {
    Nickname = "YourNickname";  
    ContactInfo = "your-email@example.com"; 

    # Bandwidth settings
    MaxAdvertisedBandwidth = "100 MB";  
    BandWidthRate = "50 MB";  
    RelayBandwidthRate = "50 MB";  
    RelayBandwidthBurst = "100 MB"; 

    # Restrict exit nodes to a specific country (use the appropriate country code)
    ExitNodes = "{ch} StrictNodes 1";  
    
    # Reject all exit traffic
    ExitPolicy = "reject *:*";  

    # Performance and security settings
    CookieAuthentication = true;  
    AvoidDiskWrites = 1; 
    HardwareAccel = 1;  
    SafeLogging = 1; 
    NumCPUs = 3;   

    # Network settings
    ORPort = [443];
  };
};

# Operating a Snowflake proxy helps others circumvent censorship. Safe to run.
services.snowflake-proxy = {
  enable = true;
  capacity = 10;
};

The Tor relay will require some days to advertise in the network, to the relay index and start generating traffic. You can query metrics about your relay on the relay index page using the name or email from the settings.

In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor.

Tips and Tricks

Location of Option

The global options are listed on MyNixOS.

Relay Management

Tor relays are servers that help anonymize internet traffic by routing it through a series of nodes. Each relay in the Tor network plays a crucial role in maintaining the privacy and security of users by ensuring that no single point can trace the origin and destination of the data. The primary purpose of Tor relays is to facilitate anonymous communication and protect users from network surveillance and traffic analysis.

Types of Relays

  • Entry (Guard) Relays: These are the first relays that Tor clients connect to. They are responsible for receiving traffic from the user and passing it to the middle relays. Entry relays are chosen carefully to ensure stability and reliability.
  • Middle Relays: These relays pass traffic between the entry and exit relays. They add an additional layer of encryption and help obscure the path of the data.
  • Exit Relays: These are the final relays that traffic passes through before reaching its destination. Exit relays decrypt the last layer of encryption and send the data to the intended recipient. They are crucial for accessing non-Tor websites and services.

Performance Considerations

  • Bandwidth: The speed and performance of the Tor network depend on the bandwidth provided by the relays. Higher bandwidth relays can handle more traffic and improve overall network performance.
  • Latency: Due to the multiple layers of encryption and the routing through several relays, Tor can introduce latency, making it slower than direct internet connections.
  • Load Balancing: The Tor network uses load balancing to distribute traffic evenly across relays, preventing any single relay from becoming a bottleneck.

Security Risks

  • Malicious Relays: Some relays may be operated by malicious actors attempting to intercept or manipulate traffic. The Tor network mitigates this risk through its layered encryption, but users should remain cautious.
  • Exit Relay Monitoring: Since exit relays decrypt the final layer of encryption, they can potentially monitor unencrypted traffic. Users should use end-to-end encryption (e.g., HTTPS) to protect their data.
  • Correlation Attacks: Adversaries with the ability to monitor both the entry and exit points of the Tor network may attempt to correlate traffic patterns and de-anonymize users.

Legal Issues

  • Jurisdiction: Tor relays operate in various jurisdictions, each with its own legal framework. Relay operators should be aware of local laws and regulations regarding data privacy and internet usage.
  • Liability: Exit relay operators may face legal scrutiny if their relays are used for illegal activities. It is important for operators to understand the potential legal implications and take appropriate measures to protect themselves.

Client Bridge

Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor is likely to result in imperfect anonymity and is unsafe.

Tor can be enabled as a system service by enabling options services.tor.enable. Configuration of tor service is an example of Freeform module, so you can pass not only explicitly supported services.tor.settings, but all other torrc options. For example, client bridge config can be set like this:

services.tor.settings = {
      UseBridges = true;
      ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird";
      Bridge = "obfs4 IP:ORPort [fingerprint]"
};

By default, Tor in NixOS provides one SOCKS proxy on port 9050. Port 9050 is a "slow" SOCKS port which can be used for email, git, and pretty much any other protocol except HTTP(S). This is a safe default which complicates identity correlation attacks, although it isn't sufficient to completely thwart them.

By also enabling services.tor.client.enable, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.

Sandboxing

You can also run the Tor Browser in a Container.

Alternatively, Tor can be configured together with the Firejail sandboxing solution.

Faster Reconnects on Network Switch

Using Systemd/networkd/dispatcher it is possible to restart the Tor daemon every time a network reconnect is performed. This avoids having to wait for Tor network timeouts and reestablishes a new connection faster.

Guard Wrappers Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.

An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.

KDE Integration

KDE Proxy Configuration In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).

Without Privoxy, KDE applications using either KHTML or WebKit KPart (such as Konqueror, Rekonq, KTorrent, Akregator) would become nearly unusable and cause excessive load to the Tor network.

Another possibility is to run tsocks kdeinit4, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.

Kopete Kopete makes direct connections and ignores KDE settings. Kopete torification depends on what plugins you use. XMPP requires tsocks. ICQ requires torsocks-faster.

KDE PIM KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.

DNS over Tor

services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};

networking.nameservers = [ "127.0.0.1" ];

Please refer to ArchWiki for details.

References

  1. https://support.torproject.org/tbb/tbb-9
  2. https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules
  3. https://2019.www.torproject.org/docs/tor-manual.html.en
  4. https://wiki.archlinux.org/title/Tor#TorDNS
  5. https://mynixos.com/search?q=tor