Tor: Difference between revisions
imported>Onny Add tips and tricks |
imported>Onny Add section on relay setup |
||
| Line 3: | Line 3: | ||
{{Security Warning|'''Tor is not a panacea.''' If you rely on Tor for anonymity, you should ensure you have a complete understanding of its caveats. Obtaining effective anonymity via Tor '''requires''' you to make certain changes to your browsing habits. The Tor Project has an important [https://support.torproject.org/faq/staying-anonymous/ list of tips] available for you to read; you should familiarise yourself with them before using Tor.}} | {{Security Warning|'''Tor is not a panacea.''' If you rely on Tor for anonymity, you should ensure you have a complete understanding of its caveats. Obtaining effective anonymity via Tor '''requires''' you to make certain changes to your browsing habits. The Tor Project has an important [https://support.torproject.org/faq/staying-anonymous/ list of tips] available for you to read; you should familiarise yourself with them before using Tor.}} | ||
= | = Server = | ||
== Relay setup == | |||
Tor relays work together to route internet traffic through the Tor network, using encrypted connections to maintain anonymity and privacy for users. Please consult the [https://community.torproject.org/relay Tor relay manual] about basic concepts and technical considerations. | |||
The following minimal example will enable a Tor relay on the default port <code>9001</code> which will be opened on the [[Firewall|firewall]. Change <code>ContactInfo</code> and <code>Nickname</code> to your personal contact information which will be visible on the Tor network and to the public. Average bandwith usage will be limited with the <code>BandWithRate</code> setting. | |||
<syntaxhighlight lang="nix"> | |||
services.tor = { | |||
enable = true; | |||
openFirewall = true; | |||
relay = { | |||
enable = true; | |||
role = "relay"; | |||
}; | |||
settings = { | |||
ContactInfo = "toradmin@example.org"; | |||
Nickname = "toradmin"; | |||
ORPort = 9001; | |||
ControlPort = 9051; | |||
BandWidthRate = "1 MBytes"; | |||
}; | |||
}; | |||
</syntaxhighlight> | |||
= Clients = | |||
== Tor-Browser == | == Tor-Browser == | ||
| Line 9: | Line 35: | ||
NixOS packages the Tor Browser Bundle, which is the recommended way to browse the web using Tor. Install the <tt>tor-browser-bundle-bin</tt> package and run <tt>tor-browser</tt>. The browser bundle integrates its own Tor daemon and will handle connecting to the Tor network automatically. | NixOS packages the Tor Browser Bundle, which is the recommended way to browse the web using Tor. Install the <tt>tor-browser-bundle-bin</tt> package and run <tt>tor-browser</tt>. The browser bundle integrates its own Tor daemon and will handle connecting to the Tor network automatically. | ||
= | |||
== Client bridge == | |||
{{Security Warning|Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor [https://support.torproject.org/tbb/tbb-9 is likely to result in imperfect anonymity and is unsafe].}} | {{Security Warning|Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor [https://support.torproject.org/tbb/tbb-9 is likely to result in imperfect anonymity and is unsafe].}} | ||
| Line 26: | Line 53: | ||
By also enabling {{nixos:option|services.tor.client.enable}}, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes. | By also enabling {{nixos:option|services.tor.client.enable}}, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes. | ||
== Privoxy == | == Privoxy == | ||
| Line 55: | Line 80: | ||
== "Guard" wrappers == | == "Guard" wrappers == | ||
Some applications have native support for SOCKS proxies, and it is tempting to use such support. | Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable. | ||
However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy | |||
settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable. | |||
An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied. | An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied. | ||
| Line 75: | Line 98: | ||
== KDE PIM == | == KDE PIM == | ||
KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes. | KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes. | ||