Tor

From NixOS Wiki
Revision as of 16:48, 6 April 2024 by Mic92 (talk | contribs) (Write about DNS over Tor.)

The Tor Project (The onion routing) is an open source implementation of onion routing that provides free access to an anonymous proxy network. Its primary goal is to enable online anonymity by protecting against traffic analysis attacks.


Server

Relay setup

Tor relays work together to route internet traffic through the Tor network, using encrypted connections to maintain anonymity and privacy for users. Please consult the Tor relay manual about basic concepts and technical considerations.

The following minimal example will enable a Tor relay on the default port 9001 which will be opened on the firewall. Change ContactInfo and Nickname to your personal contact information which will be visible on the Tor network and to the public. Average bandwith usage will be limited with the BandWithRate setting.

services.tor = {
  enable = true;
  openFirewall = true;
  relay = {
    enable = true;
    role = "relay";
  };
  settings = {
    ContactInfo = "toradmin@example.org";
    Nickname = "toradmin";
    ORPort = 9001;
    ControlPort = 9051;
    BandWidthRate = "1 MBytes";
  };
};

The Tor relay might require some days to advertise in the network, to the relay index and start generating traffic. You can query metrics about your relay on the relay index page using your individual fingerprint hash which can be found in /var/lib/tor/fingerprint.

In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor. Additionally you might need to add the Address attribute to the settings option, pointing to the IP or domain name where your relay is reachable from the outside world, for example: services.tor.settings.Address = "myserver.org";

Clients

Tor-Browser

NixOS packages the Tor Browser Bundle, which is the recommended way to browse the web using Tor. Install the tor-browser-bundle-bin package and run tor-browser. The browser bundle integrates its own Tor daemon and will handle connecting to the Tor network automatically.


Client bridge

Tor can be enabled as a system service by enabling options services.tor.enable. Configuration of tor service is an example of Freeform module, so you can pass not only explicitly supported services.tor.settings, but all other torrc options. For example, client bridge config can be set like this:

services.tor.settings = {
      UseBridges = true;
      ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird";
      Bridge = "obfs4 IP:ORPort [fingerprint]"
};

By default Tor in NixOS provides one SOCKS proxy on port 9050. 9050 is a "slow" SOCKS port which can be used for email, git and pretty much any other protocol but HTTP(S) since a new circuit will be created for each destination IP. This is a safe default which complicates identity correlation attacks, although isn't sufficient to completely thwart them.

By also enabling services.tor.client.enable, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.

Privoxy

By default, the Privoxy HTTP proxy is enabled if you enable Tor client functionality (services.tor.client.enable). Privoxy listens on port 8118 and is configured to route to the fast SOCKS port. It is highly advisable to route HTTP traffic via Privoxy rather than via SOCKS directly.

Tor wrappers

Tor wrappers such as torsocks and tsocks can be used to intercept network API calls in applications to direct network activity over a Tor socks port. This allows non-Tor-aware, non-SOCKS-aware applications to have their traffic routed over Tor.


torsocks is slightly more secure than tsocks because it blackholes UDP traffic and private IP traffic, such as LAN traffic.

If you choose to use a wrapper, use torsocks where possible. Use torsocks-faster/the fast port/Privoxy for HTTP or protocols which break if used from several IPs (such as ICQ or FTP).

tsocks is the weakest wrapper, but it is necessary if your application needs to make local connections or makes DNS queries in a way not handled by torsocks. For example, Kopete's XMPP plugin only works with tsocks and leaks DNS queries.

"Guard" wrappers

Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.

An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.

KDE

In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).

Without Privoxy, KDE applications using either KHTML or WebKit KPart (such as Konqueror, Rekonq, KTorrent, Akregator) would become nearly unusable and cause excessive load to the Tor network.

Another possibility is to run tsocks kdeinit4, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.

Kopete

Kopete makes direct connections and ignores KDE settings. Kopete torification dependins on what plugins you use. XMPP requires tsocks. ICQ requires torsocks-faster.

KDE PIM

KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.

DNS over Tor

services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};

networking.nameservers = [ "127.0.0.1" ];

Please refer ArchWiki for details.

Tips and tricks

Sandboxing

You can also run the Tor Browser in a Container.

Alternativley Tor can be configured together with the Firejail sandboxing solution.

Faster reconnects on network switch

Using networkd-dispatcher it is possible to restart the Tor daemon every time network reconnect is performaed. This avoids having to wait for Tor network timeouts and reastablishes a new connection faster.