Tor: Difference between revisions

From NixOS Wiki
imported>Fadenb
Layer-09 (talk | contribs)
m Made Tips and Tricks titles bigger
 
(31 intermediate revisions by 14 users not shown)
Line 1: Line 1:
= Warning =
<div style="border: 1px solid #D33; background: #FFEBEB; padding: 30px; border-radius: 5px; margin: 10px 0px; display: flex; align-items: center;">
{{warning|text=If you rely on Tor to provide anonymity you should ensure have a complete understanding of all parts involved!}}
    <div style="color: #D33; font-size: 40px; margin-right: 15px; background: #FFEBEB; display: flex; line-height: 0;  align-items: center;">⚠</div>
    <div style="color: #D33; font-size: 15px; font-style: normal; font-weight: 400; line-height: normal; text-align: left;"><strong>Tor is not a panacea.</strong> To achieve effective anonymity with Tor, you must understand its <strong>caveats</strong> and adjust your <strong>browsing habits</strong>. The Tor Project provides a crucial [https://support.torproject.org/faq/staying-anonymous/ list of tips] that you should read before using Tor.</div>
</div>


= How Tor is set up in NixOS =
<strong>Tor (The Onion Router)</strong> is a free, open-source software that enables anonymous internet communication. It protects users' privacy by routing traffic through a global network of volunteer-operated servers, masking IP addresses and online activities. Tor's key features include <strong>anonymity</strong>, <strong>privacy</strong>, and <strong>censorship circumvention</strong>. It supports hidden services with <strong>.onion domains</strong> for additional anonymity.


By default Tor in NixOS provides one SOCKS proxy on port 9050:
Tor works by encrypting data multiple times and sending it through a series of nodes (entry, middle, and exit), each decrypting a layer. This process, called <strong>onion routing</strong>, ensures no single point knows both the origin and destination.


9050 is a "slow" SOCKS port which can be used for email, git and pretty much any other protocol
Commonly used by <strong>journalists</strong>, <strong>activists</strong>, and <strong>privacy-conscious individuals</strong>, Tor helps bypass censorship and protect against surveillance. However, it can be slower than direct connections and has been associated with illegal activities due to its anonymity.
but HTTP(S) since a new circuit will be created for each destination IP. This is a safe
default which complicates identity corellation attacks, although isn't sufficient to
completely thwart them.


By adding <code>services.tor.client.enable = true;</code> to configuration.nix an additional proxy on port 9063 can be enabled:
For more information, you can visit the official [https://www.torproject.org/ Tor Project website].


9063 is the "fast" SOCKS port suitable for a browser. A new circuit is established every 10 minutes.
== Installation ==


== torsocks, torsocks-faster vs tsocks difference ==
==== Using nix-shell ====
<syntaxhighlight lang="bash" start="3">
nix-shell -p tor-browser
</syntaxhighlight>
 
==== Using Global Configuration ====
<syntaxhighlight lang="text">
environment.systemPackages = [
  pkgs.tor-browser
];
</syntaxhighlight>After modifying your configuration, apply the changes by running:<syntaxhighlight lang="bash">
sudo nixos-rebuild switch
</syntaxhighlight>
 
==== Using Home Configuration ====
<syntaxhighlight lang="text">
home.packages = [
  pkgs.tor-browser
];
</syntaxhighlight>After updating your configuration, apply the changes by running:<syntaxhighlight lang="bash">
home-manager switch
</syntaxhighlight>
 
== Configuration ==
 
==== Basic ====
 
<syntaxhighlight lang="nix">
services.tor = {
  enable = true;
  openFirewall = true;
};
</syntaxhighlight>
 
==== Advanced ====
<syntaxhighlight lang="nix">
services.tor = {
  enable = true;
 
  # Disable GeoIP to prevent the Tor client from estimating the locations of Tor nodes it connects to
  enableGeoIP = false;
 
  # Enable Torsocks for transparent proxying of applications through Tor
  torsocks.enable = true;
 
  # Enable the Tor client
  client = {
    enable = true;
  };
 
  # Enable and configure the Tor relay
  relay = {
    enable = true;
    role = "relay";  # Set the relay role (e.g., "relay", "bridge")
  };
 
  # Configure Tor settings
  settings = {
    Nickname = "YourNickname"; 
    ContactInfo = "your-email@example.com";


Both torsocks and tsocks wrappers route traffic via Tor.
    # Bandwidth settings
    MaxAdvertisedBandwidth = "100 MB"; 
    BandWidthRate = "50 MB"; 
    RelayBandwidthRate = "50 MB"; 
    RelayBandwidthBurst = "100 MB";


However, neither of the wrappers reliably prevent an application from establishing
    # Restrict exit nodes to a specific country (use the appropriate country code)
connections outside of Tor network, but merely ensure that non-malicious code has
    ExitNodes = "{ch} StrictNodes 1"; 
its direct connection attempts routed via Tor. Some applications, such as those
   
using KDE KIO framework, don't make direct connections and instead use kdeinit4
    # Reject all exit traffic
to spawn worker processes, rendering the wrappers useless.
    ExitPolicy = "reject *:*"; 


For more security, you need to run an application inside a virtual machine and
    # Performance and security settings
configure its networking to be routed via Tor only.
    CookieAuthentication = true; 
    AvoidDiskWrites = 1;
    HardwareAccel = 1; 
    SafeLogging = 1;
    NumCPUs = 3; 


torsocks is a bit more secure because it blackholes UDP traffic and private IP traffic,
    # Network settings
such as LAN traffic.
    ORPort = [443];
  };
};


You should use torsocks where possible. Use torsocks-faster/fast port/Privoxy for HTTP(due to performance)
# Operating a Snowflake proxy helps others circumvent censorship. Safe to run.
and protocols which break if used from several IPs. Examples: ICQ login requires contacting different servers
services.snowflake-proxy = {
and checks that it is done from the same IP; FTP transfers are performed via separate connection
  enable = true;
which must originate from the same IP.
  capacity = 10;
};
</syntaxhighlight>


tsocks is the weakest wrapper which is nevertheless necessary if your application needs to make local
The Tor relay will require some days to advertise in the network, to the [https://metrics.torproject.org/rs.html relay index] and start generating traffic. You can query metrics about your relay on the relay index page using the name or email from the settings.
connections or makes DNS queries in a way not handled by torsocks. Example: Kopete's XMPP plugin
only works with tsocks and obviously leaks DNS queries.


== tsocks as a "guard" wrapper ==
In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor.


Some applications have native support for HTTP/SOCKS proxies, and it is tempting to use it.
== Tips and Tricks ==
However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy
=== Location of Option ===
settings or settings getting lost. Using torsocks wrapper can be more reliable.
The global options are listed on [https://mynixos.com/search?q=tor MyNixOS].  


An alternative approach is use both tsocks and built-in proxy support. This way, if the application's proxy
=== Relay Management ===
support fails, the connection is likely to be caught by tsocks and if you run the application without
Tor relays are servers that help anonymize internet traffic by routing it through a series of nodes. Each relay in the Tor network plays a crucial role in maintaining the privacy and security of users by ensuring that no single point can trace the origin and destination of the data. The primary purpose of Tor relays is to facilitate anonymous communication and protect users from network surveillance and traffic analysis.
tsocks by mistake, the connections are still likely to be proxied.


== Privoxy ==
'''Types of Relays'''
* '''Entry (Guard) Relays:''' These are the first relays that Tor clients connect to. They are responsible for receiving traffic from the user and passing it to the middle relays. Entry relays are chosen carefully to ensure stability and reliability.
* '''Middle Relays:''' These relays pass traffic between the entry and exit relays. They add an additional layer of encryption and help obscure the path of the data.
* '''Exit Relays:''' These are the final relays that traffic passes through before reaching its destination. Exit relays decrypt the last layer of encryption and send the data to the intended recipient. They are crucial for accessing non-Tor websites and services.


By default, privoxy is enabled if you enable Tor client functionality (<code>services.tor.client.enable = true</code> in configuration.nix) and configured to route to the fast SOCKS port.
'''Performance Considerations'''
* '''Bandwidth:''' The speed and performance of the Tor network depend on the bandwidth provided by the relays. Higher bandwidth relays can handle more traffic and improve overall network performance.
* '''Latency:''' Due to the multiple layers of encryption and the routing through several relays, Tor can introduce latency, making it slower than direct internet connections.
* '''Load Balancing:''' The Tor network uses load balancing to distribute traffic evenly across relays, preventing any single relay from becoming a bottleneck.


== KDE and Tor ==
'''Security Risks'''
* '''Malicious Relays:''' Some relays may be operated by malicious actors attempting to intercept or manipulate traffic. The Tor network mitigates this risk through its layered encryption, but users should remain cautious.
* '''Exit Relay Monitoring:''' Since exit relays decrypt the final layer of encryption, they can potentially monitor unencrypted traffic. Users should use end-to-end encryption (e.g., HTTPS) to protect their data.
* '''Correlation Attacks:''' Adversaries with the ability to monitor both the entry and exit points of the Tor network may attempt to correlate traffic patterns and de-anonymize users.


In KDE, proxy server configuration is set for all applications at once.
'''Legal Issues'''
You should set the SOCKS proxy to Tor's default 9050 port, and set HTTP proxy to Privoxy(port 8118).
* '''Jurisdiction:''' Tor relays operate in various jurisdictions, each with its own legal framework. Relay operators should be aware of local laws and regulations regarding data privacy and internet usage.
Without Privoxy, KDE apps using either KHTML or WebKit KPart such as Konqueror, Rekonq, KTorrent, Akregator
* '''Liability:''' Exit relay operators may face legal scrutiny if their relays are used for illegal activities. It is important for operators to understand the potential legal implications and take appropriate measures to protect themselves.
would become nearly unusable and cause excessive load to the Tor network.


Another possibility is to run "tsocks kdeinit4", which would cause kdeinit4 to respawn in a wrapped state.
=== Client Bridge ===
All KDE applications started after this, will be wrapped with tsocks.
<div style="border: 1px solid #D33; background: #FFEBEB; padding: 30px; border-radius: 5px; margin: 10px 0px; display: flex; align-items: center;">
    <div style="color: #D33; font-size: 40px; margin-right: 15px; background: #FFEBEB; display: flex; line-height: 0;  align-items: center;">⚠</div>
    <div style="color: #D33; font-size: 15px; font-style: normal; font-weight: 400; line-height: normal; text-align: left;">Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor is likely to result in imperfect anonymity and is unsafe.</div>
</div>


=== Kopete ===
Tor can be enabled as a system service by enabling options {{nixos:option|services.tor.enable}}. Configuration of tor service is an example of [https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules Freeform module], so you can pass not only explicitly supported {{nixos:option|services.tor.settings}}, but all other [https://2019.www.torproject.org/docs/tor-manual.html.en torrc] options. For example, client bridge config can be set like this:


Kopete makes direct connections and ignores KDE settings. Kopete torification
<syntaxhighlight lang="nix">
dependins on what plugins you use. XMPP requires tsocks. ICQ requires torsocks-faster.
services.tor.settings = {
      UseBridges = true;
      ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird";
      Bridge = "obfs4 IP:ORPort [fingerprint]"
};
</syntaxhighlight>


=== KDE PIM ===
By default, Tor in NixOS provides one SOCKS proxy on port 9050. Port 9050 is a "slow" SOCKS port which can be used for email, git, and pretty much any other protocol except HTTP(S). This is a safe default which complicates identity correlation attacks, although it isn't sufficient to completely thwart them.


KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between your mailboxes.
By also enabling {{nixos:option|services.tor.client.enable}}, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.


== How to see what's going on, and work around bans ==
=== Sandboxing ===


Vidalia is convenient for troubleshooting and changing circuits should your
You can also run the [[Tor Browser in a Container]].
current exit node be banned by a particular site.
 
Vidalia needs an active control port:
Alternatively, Tor can be configured together with the [[Firejail#Torify_application_traffic|Firejail]] sandboxing solution.
 
=== Faster Reconnects on Network Switch ===
Using [[Systemd/networkd/dispatcher]] it is possible to restart the Tor daemon every time a network reconnect is performed. This avoids having to wait for Tor network timeouts and reestablishes a new connection faster.
 
'''Guard Wrappers'''
Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.
 
An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.
 
=== KDE Integration ===
'''KDE Proxy Configuration'''
In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).
 
Without Privoxy, KDE applications using either KHTML or WebKit KPart (such as Konqueror, Rekonq, KTorrent, Akregator) would become nearly unusable and cause excessive load to the Tor network.
 
Another possibility is to run <tt>tsocks kdeinit4</tt>, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.
 
'''Kopete'''
Kopete makes direct connections and ignores KDE settings. Kopete torification depends on what plugins you use. XMPP requires <tt>tsocks</tt>. ICQ requires <tt>torsocks-faster</tt>.
 
'''KDE PIM'''
KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.
 
=== DNS over Tor ===
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
services.tor.controlPort = 9051;
services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};
 
networking.nameservers = [ "127.0.0.1" ];
</syntaxhighlight>
</syntaxhighlight>


Vidalia allows you to change Tor configuration on the fly, which you should
Please refer to [https://wiki.archlinux.org/title/Tor#TorDNS ArchWiki] for details.
avoid doing and instead use NixOS config to control your Tor instance.
 
The only useful features are "new Identity" and "network map".
== References ==
 
# https://support.torproject.org/tbb/tbb-9
# https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules
# https://2019.www.torproject.org/docs/tor-manual.html.en
# https://wiki.archlinux.org/title/Tor#TorDNS
# https://mynixos.com/search?q=tor
 


If you do change something else by accident, you will have to manually edit
[[Category:Networking]]
Vidalia's configuration file ~/.vidalia/vidalia.conf and replace
[[Category:Applications]]
all "Changed = true" with "Changed = false", otherwise Vidalia and NixOS
[[Category:Server]]
will fight for the control of the Tor service process.
[[Category:Security]]
[[Category:Privacy]]

Latest revision as of 17:47, 4 July 2024

Tor is not a panacea. To achieve effective anonymity with Tor, you must understand its caveats and adjust your browsing habits. The Tor Project provides a crucial list of tips that you should read before using Tor.

Tor (The Onion Router) is a free, open-source software that enables anonymous internet communication. It protects users' privacy by routing traffic through a global network of volunteer-operated servers, masking IP addresses and online activities. Tor's key features include anonymity, privacy, and censorship circumvention. It supports hidden services with .onion domains for additional anonymity.

Tor works by encrypting data multiple times and sending it through a series of nodes (entry, middle, and exit), each decrypting a layer. This process, called onion routing, ensures no single point knows both the origin and destination.

Commonly used by journalists, activists, and privacy-conscious individuals, Tor helps bypass censorship and protect against surveillance. However, it can be slower than direct connections and has been associated with illegal activities due to its anonymity.

For more information, you can visit the official Tor Project website.

Installation

Using nix-shell

nix-shell -p tor-browser

Using Global Configuration

environment.systemPackages = [
  pkgs.tor-browser
];

After modifying your configuration, apply the changes by running:

sudo nixos-rebuild switch

Using Home Configuration

home.packages = [ 
  pkgs.tor-browser
];

After updating your configuration, apply the changes by running:

home-manager switch

Configuration

Basic

services.tor = {
  enable = true;
  openFirewall = true;
};

Advanced

services.tor = {
  enable = true; 

  # Disable GeoIP to prevent the Tor client from estimating the locations of Tor nodes it connects to
  enableGeoIP = false;

  # Enable Torsocks for transparent proxying of applications through Tor
  torsocks.enable = true;

  # Enable the Tor client
  client = {
    enable = true;
  };

  # Enable and configure the Tor relay
  relay = {
    enable = true;
    role = "relay";  # Set the relay role (e.g., "relay", "bridge")
  };

  # Configure Tor settings
  settings = {
    Nickname = "YourNickname";  
    ContactInfo = "your-email@example.com"; 

    # Bandwidth settings
    MaxAdvertisedBandwidth = "100 MB";  
    BandWidthRate = "50 MB";  
    RelayBandwidthRate = "50 MB";  
    RelayBandwidthBurst = "100 MB"; 

    # Restrict exit nodes to a specific country (use the appropriate country code)
    ExitNodes = "{ch} StrictNodes 1";  
    
    # Reject all exit traffic
    ExitPolicy = "reject *:*";  

    # Performance and security settings
    CookieAuthentication = true;  
    AvoidDiskWrites = 1; 
    HardwareAccel = 1;  
    SafeLogging = 1; 
    NumCPUs = 3;   

    # Network settings
    ORPort = [443];
  };
};

# Operating a Snowflake proxy helps others circumvent censorship. Safe to run.
services.snowflake-proxy = {
  enable = true;
  capacity = 10;
};

The Tor relay will require some days to advertise in the network, to the relay index and start generating traffic. You can query metrics about your relay on the relay index page using the name or email from the settings.

In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor.

Tips and Tricks

Location of Option

The global options are listed on MyNixOS.

Relay Management

Tor relays are servers that help anonymize internet traffic by routing it through a series of nodes. Each relay in the Tor network plays a crucial role in maintaining the privacy and security of users by ensuring that no single point can trace the origin and destination of the data. The primary purpose of Tor relays is to facilitate anonymous communication and protect users from network surveillance and traffic analysis.

Types of Relays

  • Entry (Guard) Relays: These are the first relays that Tor clients connect to. They are responsible for receiving traffic from the user and passing it to the middle relays. Entry relays are chosen carefully to ensure stability and reliability.
  • Middle Relays: These relays pass traffic between the entry and exit relays. They add an additional layer of encryption and help obscure the path of the data.
  • Exit Relays: These are the final relays that traffic passes through before reaching its destination. Exit relays decrypt the last layer of encryption and send the data to the intended recipient. They are crucial for accessing non-Tor websites and services.

Performance Considerations

  • Bandwidth: The speed and performance of the Tor network depend on the bandwidth provided by the relays. Higher bandwidth relays can handle more traffic and improve overall network performance.
  • Latency: Due to the multiple layers of encryption and the routing through several relays, Tor can introduce latency, making it slower than direct internet connections.
  • Load Balancing: The Tor network uses load balancing to distribute traffic evenly across relays, preventing any single relay from becoming a bottleneck.

Security Risks

  • Malicious Relays: Some relays may be operated by malicious actors attempting to intercept or manipulate traffic. The Tor network mitigates this risk through its layered encryption, but users should remain cautious.
  • Exit Relay Monitoring: Since exit relays decrypt the final layer of encryption, they can potentially monitor unencrypted traffic. Users should use end-to-end encryption (e.g., HTTPS) to protect their data.
  • Correlation Attacks: Adversaries with the ability to monitor both the entry and exit points of the Tor network may attempt to correlate traffic patterns and de-anonymize users.

Legal Issues

  • Jurisdiction: Tor relays operate in various jurisdictions, each with its own legal framework. Relay operators should be aware of local laws and regulations regarding data privacy and internet usage.
  • Liability: Exit relay operators may face legal scrutiny if their relays are used for illegal activities. It is important for operators to understand the potential legal implications and take appropriate measures to protect themselves.

Client Bridge

Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor is likely to result in imperfect anonymity and is unsafe.

Tor can be enabled as a system service by enabling options services.tor.enable. Configuration of tor service is an example of Freeform module, so you can pass not only explicitly supported services.tor.settings, but all other torrc options. For example, client bridge config can be set like this:

services.tor.settings = {
      UseBridges = true;
      ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird";
      Bridge = "obfs4 IP:ORPort [fingerprint]"
};

By default, Tor in NixOS provides one SOCKS proxy on port 9050. Port 9050 is a "slow" SOCKS port which can be used for email, git, and pretty much any other protocol except HTTP(S). This is a safe default which complicates identity correlation attacks, although it isn't sufficient to completely thwart them.

By also enabling services.tor.client.enable, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.

Sandboxing

You can also run the Tor Browser in a Container.

Alternatively, Tor can be configured together with the Firejail sandboxing solution.

Faster Reconnects on Network Switch

Using Systemd/networkd/dispatcher it is possible to restart the Tor daemon every time a network reconnect is performed. This avoids having to wait for Tor network timeouts and reestablishes a new connection faster.

Guard Wrappers Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.

An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.

KDE Integration

KDE Proxy Configuration In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).

Without Privoxy, KDE applications using either KHTML or WebKit KPart (such as Konqueror, Rekonq, KTorrent, Akregator) would become nearly unusable and cause excessive load to the Tor network.

Another possibility is to run tsocks kdeinit4, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.

Kopete Kopete makes direct connections and ignores KDE settings. Kopete torification depends on what plugins you use. XMPP requires tsocks. ICQ requires torsocks-faster.

KDE PIM KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.

DNS over Tor

services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};

networking.nameservers = [ "127.0.0.1" ];

Please refer to ArchWiki for details.

References

  1. https://support.torproject.org/tbb/tbb-9
  2. https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules
  3. https://2019.www.torproject.org/docs/tor-manual.html.en
  4. https://wiki.archlinux.org/title/Tor#TorDNS
  5. https://mynixos.com/search?q=tor