[HOWTO] use Tor network and web proxy

[nickednamed]

I'm going to attempt to show anyone who is interested how I got Tor up and running on my FreeBSD system.

NOTE: I am most definitely not a security expert. I just did this out of interest really, so comments/criticisms are welcome. That said, I hope someone finds this as useful as I would have before attempting to set up Tor + web proxy.

I will edit and update this HOWTO as needed to reflect issues and suggestions.

So here is what we'll do:

1. Install and configure security/tor.
2. Install and configure your web proxy of choice (www/polipo or www/privoxy).
3. Configure our browser to use the installed applications.
4. Test that it works.

Here goes...

1. Install tor:

# portmaster security/tor

Copy the sample configuration file and prepare to edit it:
# cp /usr/local/etc/tor/torrc.sample /usr/local/etc/tor/torrc

We want tor to start as a daemon so find /usr/local/etc/tor/torrc and uncomment the line that reads:

RunAsDaemon1

Let's have it run at boot by adding the following to /etc/rc.conf:

tor_enable="YES"

2. Let's install and configure our web proxy:

Polipo:

We'll start with Polipo. Install Polipo: # portmaster www/polipo

Copy the sample configuration file, and get ready to edit it:
# cp /usr/local/etc/polipo/config.sample /usr/local/etc/polipo/config

The config file is very well-commented, so I will list only the lines uncommented or changed. The config file should explain well what they mean. For a more complete list of options, run: polipo -v.

Find /usr/local/etc/polipo/config and uncomment or change the following lines as necessary:

proxyAddress = "127.0.0.1"
proxyPort = 8118
allowedClients = 127.0.0.1
allowedPorts = 1-65535
proxyName = "localhost"
cacheIsShared = false
socksParentProxy = "localhost:9050"
socksProxyType = socks4a
chunkHighMark = 819200
objectHighMark = 128
diskCacheRoot = ""
disableLocalInterface = true
disableConfiguration = true
localDocumentRoot = ""
dnsUseGethostbyname = yes
disableVia=falsecensoredHeaders = from, accept-language, x-pad, link
censorReferer = maybe
daemonise = true
logSyslog = true
maxConnectionAge = 5m
maxConnectionRequests = 120
serverMaxSlots = 8
serverSlots = 2
tunnelAllowedPorts = 1-65535

Let's start the polipo service: # /usr/local/etc/rc.d/polipo start

Now, let's have it run at boot by adding the following to /etc/rc.conf:

polipo_enable="YES"

That should be enough for Polipo.

NOTE: Polipo needs to be restarted for any changes to take effect.

Privoxy:

Let's look at how to install and set up www/privoxy:

Install privoxy: # portmaster www/privoxy

Now, let's have it run at boot by adding the following to /etc/rc.conf:

privoxy_enable="YES"

To start Privoxy manually, and copy the necessary config files run: # /usr/local/etc/rc.d/privoxy forcestart

Privoxy's config files should be copied to usr/local/etc/privoxy.

If you installed Privoxy as package and are using the default configuration, you have to make sure the directory /var/run/privoxy exists and is owned by privoxyrivoxy.

Let's edit the config file to use Privoxy with Tor.

Uncomment the lines:

# Set the listen address to 127.0.0.1:8118
listen-address 127.0.0.1:8118

# forward privoxy to TOR
forward-socks4a / 127.0.0.1:9050 .

NOTE the trailing "dot".

If you want to use Tor ONLY for .onion sites, use the following instead:

forward-socks4a .onion localhost:9050 .

That should be enough to get it up and working.


3. Let's configure Firefox to use Tor and your web proxy of choice.

First, start Firefox with firefox -P to get into the profile manager. Create a new profile for Tor browsing (as you won't want to use it all the time, especially when logging into Google, Facebook, etc.).

When you have your new profile, go to --> Preferences --> Advanced --> Network --> Settings

Now choose "manual proxy configuration". Enter "127.0.0.1" into the HTTP Proxy box, and choose port "8118". Click "use this proxy for all protocols". Click OK.

That should be enough to get you onto the Tor network. However, you should really install the following addons too:

NoScript
HTTPSEverywhere
Ghostery
AdBlock Plus

Here is a good visual example of why you should use Tor with HTTPS.

Hidden Settings

There are some other "hidden" settings we can change to improve privacy. In the address bar, type "about:config". This will show you all the options available to you.

If you choose to use SOCKS5 in your web proxy configuration, instead of SOCKS4a, you should also make sure that you don't have a DNS leaks problem. As stated above, type the following into your address bar: about:config

Enter the following in the search bar: network.proxy.socks_remote_dns

Make sure this is set to "true" - it should look like this:

network.proxy.socks_remote_dns true

Now find "Network.http.sendRefererHeader" and change the value to suit you. Here are the possible values and what they mean:

0 – Disable referrer.
1 – Send the Referer header when clicking on a link, and set document.referrer for the following page.
2 – Send the Referer header when clicking on a link or loading an image.

I chose "0".

You may also want to change the "User agent" of your browser, although this may result in a few broken web pages.

To change the user agent in Firefox, go to "about:config" and right-click on the page. Select "New" and select "String". Enter the following "general.useragent.override". Then enter your Useragent of choice. A nice list can be found here.

Here are some more things you may change:
Set "browser.cache.disk.enable" to false
Set "browser.cache.memory.enable" to false.
Set "browser.privatebrowsing.autostart" to true
Set "browser.search.defaultenginename" to "Startpage HTTPS"
Set "browser.search.selectedEngine" to "Startpage HTTPS"
Set "network.cookie.cookieBehavior" to 2 (disable cookies)
Set "privacy.clearOnShutdown.cookies" to true
Set "network.http.sendRefererHeader" to 0 (zero)
Set "network.proxy.socks_remote_dns" to true
Set "general.useragent.override" to a common useragent
Set "browser.sessionstore.privacy_level" to 2

Also consider adding "net.inet.ip.random_id=1" in /etc/sysctl.conf because it prevents traffic analysis that exploits sequential IP IDs.

4. Test your setup

Go to Tor check to see if you're connected to the network.

Test your anonymity here and here.

Check your browser fingerprint here (unique is bad when it comes to anonymity).

Hope that helps someone out there!

 

[rabfulton]

Thanks for writing this up. I set up Tor and Privoxy a few weeks ago and this would have saved me a lot of time. Didn't know about the Firefox profile manager, very handy.

Thank you.

 

[Erratus]

However, you should really install the following addons too:

NoScript
HTTPSEverywhere
Ghostery
AdBlock Plus

Be warned of some of those addons! Have a close look on who has programmed these „helpers“ and what the real intention is behind offering them for free. Read all the privacy statements carefully, as you are allowing the makers of datamining to have a look on what you are going to disable. This is like a sheep is asking the butcher for protection from the wulf. Monitor the outgoing traffic from these tools.

 

[sossego]

Good advice- no sarcasm- but, how does one do that?

 

[kpa]

The standard tools that are often used for snooping network traffic are tcpdump(1) and net/wireshark.

For example to capture all traffic on vr0 interface with net/wireshark:

tshark -i vr0

Both tools have a rich filter language that is documented at the pcap-filter(7) manual page.

 

[Erratus]

Good advice- no sarcasm- but, how does one do that?

Do what? Answer: Depends on.

Define which grade of privacy you really need.
If your Computer is connected to the internet, regard your documents to be public.
Learn about the advantages of airwall and sneaker-net. For privacy use computers that have no net interface at all. Do not trust storage media that are not yours.

Define rules on what is allowed to be on Computers that are on a net with a gateway. Review your browsing habits. Do not trust to anything. Products that claim to be safe, can be compromised or have backdoors.

Strictly do not allow outbound encrypted traffic that you have not initialized. If you browse sites with https and scripting is allowed you loose control and do not even know what is leaking out when looking at the traffic.

When relaying on tools like Tor make sure you have configured them well. Tor is an anonymizer only, it does not encrypt any content. If you make errors you are naked. Do not trust any browser plugins as you have to allow a lot for letting them work.

People who called this paranoia stopped laughing some weeks ago. Think about if it is ever advisable to restore trust again on partners that have covered and lied.

For looking at the traffic use the tools @kpa mentioned. You need to learn a little on interpreting that what you see when using them.

 

[markbsd]

I'm going to attempt to show anyone who is interested how I got Tor up and running on my FreeBSD system...

Thanks, @nicknamed, for your excellent guide, which works very well.

Do you have any experience configuring a firewall on FreeBSD with Tor? I have had no luck running pf and keeping Tor functional -- it disables Tor and I don't know what I need to configure in /etc/pf.conf.

I've added these lines:

block in all
pass out all keep state
pass out inet proto tcp from $localnet to 127.0.0.1 8118, 9050 keep state  ## attempt to allow tor ##
pass out proto tcp to 127.0.0.1 8118, 9050 $tor keep state  ## attempt to allow tor ##

but still Tor fails to connect with pf enabled. Any suggestions?

Also, @nicknamed, did you have any luck configuring any browser so it receives all "green" good results from the http://ip-check.info test? I have been unsuccessful in configuring either Firefox or Midori.

 

[tzoi516]

Be warned of some of those addons! Have a close look on who has programmed these „helpers“ and what the real intention is behind offering them for free. Read all the privacy statements carefully, as you are allowing the makers of datamining to have a look on what you are going to disable. This is like a sheep is asking the butcher for protection from the wulf. Monitor the outgoing traffic from these tools.

AdBlock Plus, by default, enables Google ads to pass on through. And anyone who uses Google Chrome knows Chrome doesn't always use the defined DNS servers and will call their own, as do the ads (read: DNS leakage). I'd recommend AdBlock Edge if on a non-BSD system.

 

[nickednamed]

Hi @markbsd,

I don't have much experience with firewalls, so I can't help you there. My mate set mine up for me, and I'm assuming it just works.

As for the JonDoFox page - I never got all the things green: the UserAgent part remains red unless I use the exact UserAgent suggested by JonDoFox, but I'm pretty sure the rest were green.

Here is a list of things I've done to help:

Set "browser.cache.disk.enable" to false
Set "browser.cache.memory.enable" to false.
Set "browser.privatebrowsing.autostart" to true
Set "browser.search.defaultenginename" to "Startpage HTTPS"
Set "browser.search.selectedEngine" to "Startpage HTTPS"
Set "network.cookie.cookieBehavior" to 2 (disable cookies)
Set "privacy.clearOnShutdown.cookies" to true
Set "network.http.sendRefererHeader" to 0 (zero)
Set "network.proxy.socks_remote_dns" to true
Set "general.useragent.override" to a common useragent
Set "browser.sessionstore.privacy_level" to 2

I'm sure there's more you can do, especially regarding session management, but that's all I can remember doing at the moment. I'll add some of that stuff to the initial post too.

 

[hsiao]

I can't user the proxy

I did as you said, but Firefox always said

Privoxy was unable to socks4a-forward your request [url]http://xx.xx.xx.xx/[/url] through 127.0.0.1: SOCKS request rejected or failed.

find the web and I can't find the right.I've searched the web but can't find anything. pls Please help me.

 

[nickednamed]

Re: I can't user the proxy

do as you said,
but firefox always said "Privoxy was unable to socks4a-forward your request http://xx.xx.xx.xx/ through 127.0.0.1: SOCKS request rejected or failed."
find the web and I can't find the right. pls help me.

I've never encountered that problem, but I would recommend checking the configuration files to see if you are using the correct ports, check that you don't have www/privoxy blocked by a firewall, etc.

Perhaps you could try with another browser, with any firewalls off, host files all commented out, or try www/polipo instead of Privoxy. I'm afraid I can't be much more help without more information.

 

[Monti]

I read somewhere that it is better to use 6 hoops instead of 3. Is there a way to set this up in /usr/local/etc/tor/torrc ?

 

[Monti]

Regarding browsing with security/tor, I am using the JonDoFox profile for www/firefox . By default the profile is set up to use the JonDoNym network, but by selecting 'Tor' with the 'JonDoFox Settings' addon icon you can use it with Tor. To do a test use the ip-check.info site to check the connection and see what is being exposed.

For added anonymity with regular browsing one can select 'No Proxy' with the 'JonDoFox Settings' addon icon.

For installation download (JonDoFox for Linux and BSD (TAR)) and verify the file from the page provided with the initial link. Unpack the TAR file and go to the folder in terminal. For easy MD5sum verification I use the DownThemAll! (GPLv2 license) "right click download option" addon.

Run the command with ' sh' in terminal (do not double click the install_jondofox.sh script):

sh install_jondofox.sh

At first run, run www/firefox with the profile manager flag ' -p' and select 'JonDoFox'.

 

[getopt]

I read somewhere that it is better to use 6 hoops instead of 3. Is there a way to set this up in /usr/local/etc/tor/torrc ?

No, you cannot set this in /usr/local/etc/tor/torrc. If you want to, you have to edit the source and compile.

Usually you should not mess with tor unless you have a need to do so and you definitively know what you are doing.

If you select certain fixed guards or preferred exit nodes it might be a good idea to increase the hops by 1 or two. Otherwise it makes little sense and almost none to go beyond 5 if you play with preferred entry and exit nodes (which is NOT recommended). When doing so tor probably slows down.

 

[Monti]

Appreciate it getopt . Thanks a lot for the extra elaboration.

 

[quicktrick]

Thanks a lot for these instructions. I have some questions.

1. Is there any way to see the thing that Tor Browser Bundle shows under the "onion", that is "Tor circuit for this site"?
2. How can I change Identity? Do I need just to restart Firefox or what?

(sorry for newbie questions)

 

[unixbsdshell]

Thanks a lot for these instructions. I have some questions.

1. Is there any way to see the thing that Tor Browser Bundle shows under the "onion", that is "Tor circuit for this site"?
2. How can I change Identity? Do I need just to restart Firefox or what?

(sorry for newbie questions)

We recommend using 3PRoxy instead of using Privoxy. 3proxy is better and more reliable, when 3Proxy is combined with TOR the security level is very high. I have tried it and the results are very satisfying