Tor: Difference between revisions

From NixOS Wiki
imported>Keyholder
fixing outdated binary filename
Layer-09 (talk | contribs)
m Made Tips and Tricks titles bigger
 
(8 intermediate revisions by 4 users not shown)
Line 1: Line 1:
The [https://www.torproject.org Tor Project] (The onion routing) is an open source implementation of onion routing that provides free access to an anonymous proxy network. Its primary goal is to enable online anonymity by protecting against traffic analysis attacks.  
<div style="border: 1px solid #D33; background: #FFEBEB; padding: 30px; border-radius: 5px; margin: 10px 0px; display: flex; align-items: center;">
    <div style="color: #D33; font-size: 40px; margin-right: 15px; background: #FFEBEB; display: flex; line-height: 0;  align-items: center;">⚠</div>
    <div style="color: #D33; font-size: 15px; font-style: normal; font-weight: 400; line-height: normal; text-align: left;"><strong>Tor is not a panacea.</strong> To achieve effective anonymity with Tor, you must understand its <strong>caveats</strong> and adjust your <strong>browsing habits</strong>. The Tor Project provides a crucial [https://support.torproject.org/faq/staying-anonymous/ list of tips] that you should read before using Tor.</div>
</div>


{{Security Warning|'''Tor is not a panacea.''' If you rely on Tor for anonymity, you should ensure you have a complete understanding of its caveats. Obtaining effective anonymity via Tor '''requires''' you to make certain changes to your browsing habits. The Tor Project has an important [https://support.torproject.org/faq/staying-anonymous/ list of tips] available for you to read; you should familiarise yourself with them before using Tor.}}
<strong>Tor (The Onion Router)</strong> is a free, open-source software that enables anonymous internet communication. It protects users' privacy by routing traffic through a global network of volunteer-operated servers, masking IP addresses and online activities. Tor's key features include <strong>anonymity</strong>, <strong>privacy</strong>, and <strong>censorship circumvention</strong>. It supports hidden services with <strong>.onion domains</strong> for additional anonymity.


= Server =
Tor works by encrypting data multiple times and sending it through a series of nodes (entry, middle, and exit), each decrypting a layer. This process, called <strong>onion routing</strong>, ensures no single point knows both the origin and destination.


== Relay setup ==
Commonly used by <strong>journalists</strong>, <strong>activists</strong>, and <strong>privacy-conscious individuals</strong>, Tor helps bypass censorship and protect against surveillance. However, it can be slower than direct connections and has been associated with illegal activities due to its anonymity.


Tor relays work together to route internet traffic through the Tor network, using encrypted connections to maintain anonymity and privacy for users. Please consult the [https://community.torproject.org/relay Tor relay manual] about basic concepts and technical considerations.
For more information, you can visit the official [https://www.torproject.org/ Tor Project website].


The following minimal example will enable a Tor relay on the default port <code>9001</code> which will be opened on the  [[Firewall|firewall]]. Change <code>ContactInfo</code> and <code>Nickname</code> to your personal contact information which will be visible on the Tor network and to the public. Average bandwith usage will be limited with the <code>BandWithRate</code> setting.
== Installation ==
 
==== Using nix-shell ====
<syntaxhighlight lang="bash" start="3">
nix-shell -p tor-browser
</syntaxhighlight>
 
==== Using Global Configuration ====
<syntaxhighlight lang="text">
environment.systemPackages = [
  pkgs.tor-browser
];
</syntaxhighlight>After modifying your configuration, apply the changes by running:<syntaxhighlight lang="bash">
sudo nixos-rebuild switch
</syntaxhighlight>
 
==== Using Home Configuration ====
<syntaxhighlight lang="text">
home.packages = [
  pkgs.tor-browser
];
</syntaxhighlight>After updating your configuration, apply the changes by running:<syntaxhighlight lang="bash">
home-manager switch
</syntaxhighlight>
 
== Configuration ==
 
==== Basic ====


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 15: Line 45:
   enable = true;
   enable = true;
   openFirewall = true;
   openFirewall = true;
};
</syntaxhighlight>
==== Advanced ====
<syntaxhighlight lang="nix">
services.tor = {
  enable = true;
  # Disable GeoIP to prevent the Tor client from estimating the locations of Tor nodes it connects to
  enableGeoIP = false;
  # Enable Torsocks for transparent proxying of applications through Tor
  torsocks.enable = true;
  # Enable the Tor client
  client = {
    enable = true;
  };
  # Enable and configure the Tor relay
   relay = {
   relay = {
     enable = true;
     enable = true;
     role = "relay";
     role = "relay"; # Set the relay role (e.g., "relay", "bridge")
   };
   };
  # Configure Tor settings
   settings = {
   settings = {
     ContactInfo = "toradmin@example.org";
    Nickname = "YourNickname"; 
     Nickname = "toradmin";
     ContactInfo = "your-email@example.com";
     ORPort = 9001;
 
     ControlPort = 9051;
    # Bandwidth settings
     BandWidthRate = "1 MBytes";
    MaxAdvertisedBandwidth = "100 MB";
     BandWidthRate = "50 MB";
     RelayBandwidthRate = "50 MB";
     RelayBandwidthBurst = "100 MB";  
 
    # Restrict exit nodes to a specific country (use the appropriate country code)
     ExitNodes = "{ch} StrictNodes 1"
   
    # Reject all exit traffic
    ExitPolicy = "reject *:*"; 
 
    # Performance and security settings
    CookieAuthentication = true; 
    AvoidDiskWrites = 1;
    HardwareAccel = 1; 
    SafeLogging = 1;
    NumCPUs = 3; 
 
    # Network settings
    ORPort = [443];
   };
   };
};
# Operating a Snowflake proxy helps others circumvent censorship. Safe to run.
services.snowflake-proxy = {
  enable = true;
  capacity = 10;
};
};
</syntaxhighlight>
</syntaxhighlight>


The Tor relay might require some days to advertise in the network, to the [https://metrics.torproject.org/rs.html relay index] and start generating traffic. You can query metrics about your relay on the relay index page using your individual fingerprint hash which can be found in <code>/var/lib/tor/fingerprint</code>.
The Tor relay will require some days to advertise in the network, to the [https://metrics.torproject.org/rs.html relay index] and start generating traffic. You can query metrics about your relay on the relay index page using the name or email from the settings.


In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor. Additionally you might need to add the <code>Address</code> attribute to the <code>settings</code> option, pointing to the IP or domain name where your relay is reachable from the outside world, for example: <code>services.tor.settings.Address = "myserver.org";</code>
In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor.


= Clients =
== Tips and Tricks ==
=== Location of Option ===
The global options are listed on [https://mynixos.com/search?q=tor MyNixOS].


== Tor-Browser ==
=== Relay Management ===
Tor relays are servers that help anonymize internet traffic by routing it through a series of nodes. Each relay in the Tor network plays a crucial role in maintaining the privacy and security of users by ensuring that no single point can trace the origin and destination of the data. The primary purpose of Tor relays is to facilitate anonymous communication and protect users from network surveillance and traffic analysis.


NixOS packages the Tor Browser Bundle, which is the recommended way to browse the web using Tor. Install the <tt>tor-browser-bundle-bin</tt> package and run <tt>tor-browser</tt>. The browser bundle integrates its own Tor daemon and will handle connecting to the Tor network automatically.
'''Types of Relays'''
* '''Entry (Guard) Relays:''' These are the first relays that Tor clients connect to. They are responsible for receiving traffic from the user and passing it to the middle relays. Entry relays are chosen carefully to ensure stability and reliability.
* '''Middle Relays:''' These relays pass traffic between the entry and exit relays. They add an additional layer of encryption and help obscure the path of the data.
* '''Exit Relays:''' These are the final relays that traffic passes through before reaching its destination. Exit relays decrypt the last layer of encryption and send the data to the intended recipient. They are crucial for accessing non-Tor websites and services.


'''Performance Considerations'''
* '''Bandwidth:''' The speed and performance of the Tor network depend on the bandwidth provided by the relays. Higher bandwidth relays can handle more traffic and improve overall network performance.
* '''Latency:''' Due to the multiple layers of encryption and the routing through several relays, Tor can introduce latency, making it slower than direct internet connections.
* '''Load Balancing:''' The Tor network uses load balancing to distribute traffic evenly across relays, preventing any single relay from becoming a bottleneck.


== Client bridge ==
'''Security Risks'''
* '''Malicious Relays:''' Some relays may be operated by malicious actors attempting to intercept or manipulate traffic. The Tor network mitigates this risk through its layered encryption, but users should remain cautious.
* '''Exit Relay Monitoring:''' Since exit relays decrypt the final layer of encryption, they can potentially monitor unencrypted traffic. Users should use end-to-end encryption (e.g., HTTPS) to protect their data.
* '''Correlation Attacks:''' Adversaries with the ability to monitor both the entry and exit points of the Tor network may attempt to correlate traffic patterns and de-anonymize users.


{{Security Warning|Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor [https://support.torproject.org/tbb/tbb-9 is likely to result in imperfect anonymity and is unsafe].}}
'''Legal Issues'''
* '''Jurisdiction:''' Tor relays operate in various jurisdictions, each with its own legal framework. Relay operators should be aware of local laws and regulations regarding data privacy and internet usage.
* '''Liability:''' Exit relay operators may face legal scrutiny if their relays are used for illegal activities. It is important for operators to understand the potential legal implications and take appropriate measures to protect themselves.


Tor can be enabled as a system service by enabling options {{nixos:option|services.tor.enable}}. Configuration of tor service is an example of [https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules Freeform module], so you can pass not only explicitly supported {{nixos:option|services.tor.settings}}, but all other [https://2019.www.torproject.org/docs/tor-manual.html.en torrc] options. For example, client bridge config can be set like this:
=== Client Bridge ===
<div style="border: 1px solid #D33; background: #FFEBEB; padding: 30px; border-radius: 5px; margin: 10px 0px; display: flex; align-items: center;">
    <div style="color: #D33; font-size: 40px; margin-right: 15px; background: #FFEBEB; display: flex; line-height: 0;  align-items: center;">⚠</div>
    <div style="color: #D33; font-size: 15px; font-style: normal; font-weight: 400; line-height: normal; text-align: left;">Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor is likely to result in imperfect anonymity and is unsafe.</div>
</div>
 
Tor can be enabled as a system service by enabling options {{nixos:option|services.tor.enable}}. Configuration of tor service is an example of [https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules Freeform module], so you can pass not only explicitly supported {{nixos:option|services.tor.settings}}, but all other [https://2019.www.torproject.org/docs/tor-manual.html.en torrc] options. For example, client bridge config can be set like this:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 54: Line 152:
</syntaxhighlight>
</syntaxhighlight>


By default Tor in NixOS provides one SOCKS proxy on port 9050. 9050 is a "slow" SOCKS port which can be used for email, git and pretty much any other protocol but HTTP(S) since a new circuit will be created for each destination IP. This is a safe default which complicates identity correlation attacks, although isn't sufficient to completely thwart them.
By default, Tor in NixOS provides one SOCKS proxy on port 9050. Port 9050 is a "slow" SOCKS port which can be used for email, git, and pretty much any other protocol except HTTP(S). This is a safe default which complicates identity correlation attacks, although it isn't sufficient to completely thwart them.


By also enabling {{nixos:option|services.tor.client.enable}}, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.
By also enabling {{nixos:option|services.tor.client.enable}}, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.


== Privoxy ==
=== Sandboxing ===


By default, the Privoxy HTTP proxy is enabled if you enable Tor client functionality ({{nixos:option|services.tor.client.enable}}). Privoxy listens on port 8118 and is configured to route to the fast SOCKS port. It is highly advisable to route HTTP traffic via Privoxy rather than via SOCKS directly.
You can also run the [[Tor Browser in a Container]].
 
== Tor wrappers ==
 
Tor wrappers such as <tt>torsocks</tt> and <tt>tsocks</tt> can be used to intercept network API calls in applications to direct network activity over a Tor socks port. This allows non-Tor-aware, non-SOCKS-aware applications to have their traffic routed over Tor.
 
{{Security Warning|Tor wrappers cannot reliably prevent an application from establishing connections outside of the Tor network; they merely ensure that non-malicious code using networking APIs in straightforward ways have their direct connection attempts routed via Tor. As such, ''Tor wrappers are not a secure isolation mechanism.''
 
Some applications, such as those using the KDE KIO framework, don't make direct connections and instead use <tt>kdeinit4</tt> to spawn worker processes, rendering the wrappers useless.


For full isolation, run an application inside a virtual machine and configure its network activity to be routed via Tor only, with non-Tor traffic blocked.
Alternatively, Tor can be configured together with the [[Firejail#Torify_application_traffic|Firejail]] sandboxing solution.
}}


torsocks is slightly more secure than tsocks because it blackholes UDP traffic and private IP traffic,
=== Faster Reconnects on Network Switch ===
such as LAN traffic.
Using [[Systemd/networkd/dispatcher]] it is possible to restart the Tor daemon every time a network reconnect is performed. This avoids having to wait for Tor network timeouts and reestablishes a new connection faster.
 
If you choose to use a wrapper, use torsocks where possible. Use torsocks-faster/the fast port/Privoxy for HTTP or protocols which break if used from several IPs (such as ICQ or FTP).
 
tsocks is the weakest wrapper, but it is necessary if your application needs to make local
connections or makes DNS queries in a way not handled by torsocks. For example, Kopete's XMPP plugin
only works with tsocks and leaks DNS queries.
 
== "Guard" wrappers ==


'''Guard Wrappers'''
Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.
Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.


An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.
An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.


== KDE ==
=== KDE Integration ===
 
'''KDE Proxy Configuration'''
In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).
In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).


Line 96: Line 178:
Another possibility is to run <tt>tsocks kdeinit4</tt>, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.
Another possibility is to run <tt>tsocks kdeinit4</tt>, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.


== Kopete ==
'''Kopete'''
 
Kopete makes direct connections and ignores KDE settings. Kopete torification depends on what plugins you use. XMPP requires <tt>tsocks</tt>. ICQ requires <tt>torsocks-faster</tt>.
Kopete makes direct connections and ignores KDE settings. Kopete torification
dependins on what plugins you use. XMPP requires <tt>tsocks</tt>. ICQ requires <tt>torsocks-faster</tt>.
 
== KDE PIM ==


'''KDE PIM'''
KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.
KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.


= Tips and tricks =
=== DNS over Tor ===
<syntaxhighlight lang="nix">
services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};


== Sandboxing ==
networking.nameservers = [ "127.0.0.1" ];
</syntaxhighlight>


You can also run the [[Tor Browser in a Container]].
Please refer to [https://wiki.archlinux.org/title/Tor#TorDNS ArchWiki] for details.


Alternativley Tor can be configured together with the [[Firejail#Torify_application_traffic|Firejail]] sandboxing solution.
== References ==


== Faster reconnects on network switch ==
# https://support.torproject.org/tbb/tbb-9
# https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules
# https://2019.www.torproject.org/docs/tor-manual.html.en
# https://wiki.archlinux.org/title/Tor#TorDNS
# https://mynixos.com/search?q=tor


Using [[networkd-dispatcher]] it is possible to restart the Tor daemon every time network reconnect is performaed. This avoids having to wait for Tor network timeouts and reastablishes a new connection faster.


[[Category:Configuration]]
[[Category:Networking]]
[[Category:Applications]]
[[Category:Server]]
[[Category:Security]]
[[Category:Security]]
[[Category:Privacy]]
[[Category:Privacy]]

Latest revision as of 17:47, 4 July 2024

Tor is not a panacea. To achieve effective anonymity with Tor, you must understand its caveats and adjust your browsing habits. The Tor Project provides a crucial list of tips that you should read before using Tor.

Tor (The Onion Router) is a free, open-source software that enables anonymous internet communication. It protects users' privacy by routing traffic through a global network of volunteer-operated servers, masking IP addresses and online activities. Tor's key features include anonymity, privacy, and censorship circumvention. It supports hidden services with .onion domains for additional anonymity.

Tor works by encrypting data multiple times and sending it through a series of nodes (entry, middle, and exit), each decrypting a layer. This process, called onion routing, ensures no single point knows both the origin and destination.

Commonly used by journalists, activists, and privacy-conscious individuals, Tor helps bypass censorship and protect against surveillance. However, it can be slower than direct connections and has been associated with illegal activities due to its anonymity.

For more information, you can visit the official Tor Project website.

Installation

Using nix-shell

nix-shell -p tor-browser

Using Global Configuration

environment.systemPackages = [
  pkgs.tor-browser
];

After modifying your configuration, apply the changes by running:

sudo nixos-rebuild switch

Using Home Configuration

home.packages = [ 
  pkgs.tor-browser
];

After updating your configuration, apply the changes by running:

home-manager switch

Configuration

Basic

services.tor = {
  enable = true;
  openFirewall = true;
};

Advanced

services.tor = {
  enable = true; 

  # Disable GeoIP to prevent the Tor client from estimating the locations of Tor nodes it connects to
  enableGeoIP = false;

  # Enable Torsocks for transparent proxying of applications through Tor
  torsocks.enable = true;

  # Enable the Tor client
  client = {
    enable = true;
  };

  # Enable and configure the Tor relay
  relay = {
    enable = true;
    role = "relay";  # Set the relay role (e.g., "relay", "bridge")
  };

  # Configure Tor settings
  settings = {
    Nickname = "YourNickname";  
    ContactInfo = "your-email@example.com"; 

    # Bandwidth settings
    MaxAdvertisedBandwidth = "100 MB";  
    BandWidthRate = "50 MB";  
    RelayBandwidthRate = "50 MB";  
    RelayBandwidthBurst = "100 MB"; 

    # Restrict exit nodes to a specific country (use the appropriate country code)
    ExitNodes = "{ch} StrictNodes 1";  
    
    # Reject all exit traffic
    ExitPolicy = "reject *:*";  

    # Performance and security settings
    CookieAuthentication = true;  
    AvoidDiskWrites = 1; 
    HardwareAccel = 1;  
    SafeLogging = 1; 
    NumCPUs = 3;   

    # Network settings
    ORPort = [443];
  };
};

# Operating a Snowflake proxy helps others circumvent censorship. Safe to run.
services.snowflake-proxy = {
  enable = true;
  capacity = 10;
};

The Tor relay will require some days to advertise in the network, to the relay index and start generating traffic. You can query metrics about your relay on the relay index page using the name or email from the settings.

In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor.

Tips and Tricks

Location of Option

The global options are listed on MyNixOS.

Relay Management

Tor relays are servers that help anonymize internet traffic by routing it through a series of nodes. Each relay in the Tor network plays a crucial role in maintaining the privacy and security of users by ensuring that no single point can trace the origin and destination of the data. The primary purpose of Tor relays is to facilitate anonymous communication and protect users from network surveillance and traffic analysis.

Types of Relays

  • Entry (Guard) Relays: These are the first relays that Tor clients connect to. They are responsible for receiving traffic from the user and passing it to the middle relays. Entry relays are chosen carefully to ensure stability and reliability.
  • Middle Relays: These relays pass traffic between the entry and exit relays. They add an additional layer of encryption and help obscure the path of the data.
  • Exit Relays: These are the final relays that traffic passes through before reaching its destination. Exit relays decrypt the last layer of encryption and send the data to the intended recipient. They are crucial for accessing non-Tor websites and services.

Performance Considerations

  • Bandwidth: The speed and performance of the Tor network depend on the bandwidth provided by the relays. Higher bandwidth relays can handle more traffic and improve overall network performance.
  • Latency: Due to the multiple layers of encryption and the routing through several relays, Tor can introduce latency, making it slower than direct internet connections.
  • Load Balancing: The Tor network uses load balancing to distribute traffic evenly across relays, preventing any single relay from becoming a bottleneck.

Security Risks

  • Malicious Relays: Some relays may be operated by malicious actors attempting to intercept or manipulate traffic. The Tor network mitigates this risk through its layered encryption, but users should remain cautious.
  • Exit Relay Monitoring: Since exit relays decrypt the final layer of encryption, they can potentially monitor unencrypted traffic. Users should use end-to-end encryption (e.g., HTTPS) to protect their data.
  • Correlation Attacks: Adversaries with the ability to monitor both the entry and exit points of the Tor network may attempt to correlate traffic patterns and de-anonymize users.

Legal Issues

  • Jurisdiction: Tor relays operate in various jurisdictions, each with its own legal framework. Relay operators should be aware of local laws and regulations regarding data privacy and internet usage.
  • Liability: Exit relay operators may face legal scrutiny if their relays are used for illegal activities. It is important for operators to understand the potential legal implications and take appropriate measures to protect themselves.

Client Bridge

Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor is likely to result in imperfect anonymity and is unsafe.

Tor can be enabled as a system service by enabling options services.tor.enable. Configuration of tor service is an example of Freeform module, so you can pass not only explicitly supported services.tor.settings, but all other torrc options. For example, client bridge config can be set like this:

services.tor.settings = {
      UseBridges = true;
      ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird";
      Bridge = "obfs4 IP:ORPort [fingerprint]"
};

By default, Tor in NixOS provides one SOCKS proxy on port 9050. Port 9050 is a "slow" SOCKS port which can be used for email, git, and pretty much any other protocol except HTTP(S). This is a safe default which complicates identity correlation attacks, although it isn't sufficient to completely thwart them.

By also enabling services.tor.client.enable, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.

Sandboxing

You can also run the Tor Browser in a Container.

Alternatively, Tor can be configured together with the Firejail sandboxing solution.

Faster Reconnects on Network Switch

Using Systemd/networkd/dispatcher it is possible to restart the Tor daemon every time a network reconnect is performed. This avoids having to wait for Tor network timeouts and reestablishes a new connection faster.

Guard Wrappers Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.

An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.

KDE Integration

KDE Proxy Configuration In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).

Without Privoxy, KDE applications using either KHTML or WebKit KPart (such as Konqueror, Rekonq, KTorrent, Akregator) would become nearly unusable and cause excessive load to the Tor network.

Another possibility is to run tsocks kdeinit4, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.

Kopete Kopete makes direct connections and ignores KDE settings. Kopete torification depends on what plugins you use. XMPP requires tsocks. ICQ requires torsocks-faster.

KDE PIM KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.

DNS over Tor

services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};

networking.nameservers = [ "127.0.0.1" ];

Please refer to ArchWiki for details.

References

  1. https://support.torproject.org/tbb/tbb-9
  2. https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules
  3. https://2019.www.torproject.org/docs/tor-manual.html.en
  4. https://wiki.archlinux.org/title/Tor#TorDNS
  5. https://mynixos.com/search?q=tor