ZNHOO Whatever you are, be a good one!

Tor - Anonymity Online

All ip[6]tables commands now should be converted into /var/lib/ip[6]tables/rules-save and use ip[6]tables-apply instead. Refer to post iptables.


  1. Tor - the onion router - mainly devotes to hide your Internet identity.
  2. Tor prevents people from learning your location or browsing habits.
  3. Tor is for web browsers, instant messaging clients, and more.
  4. Tor aims at outbound traffic.


  1. Tor periodically chooes different encryption routing relays. Exit relay's IP is your Tor IP.
  2. Tor needs a centralized directory host to receve a list of relays on which Tor builds Tor circuit/route.
  3. Tor traffic is NOT encrypted between exit relay and destination host. But that does not impact anonymoity online.
  4. Tor is blocked:
    1. Block the directory host;
    2. Block the handshake process by itself fingerprints of Tor traffic between Tor client and the entry relay;
    3. Block intermediate relys;
    4. Malicious relays (honey pots).

    To solve the issue:

    1. Front end proxy;
    2. Tor Bridge;
    3. Tor Bridge and PT (Pluggable Transports) protocol.
  5. Add a frontend proxy (Lantern for instance) to Tor. Frontend proxy bypasses censorship while Tor hide your Internet track. The frontend proxy must support SOCKS protocol by itself. GAE does NOT support SOCKS itself, so cannot be a frontend proxy.

    In this post, I use ss (also a SOCKS5) as the frontend proxy.

  6. On startup, Tor access the directory host to get a list of relays. But the replays there are public to everyone, prone to blocking. By specifing private relay - Bridges in configuration file, Tor build circuits based on them.
  7. Do NOT enable Front end proxy and Bridges simutaneously, otherwise Tor would not work!

    Mostly, I use Frontend proxy: mutliple proxies more secure. But for public Wi-Fi, we'd better use Bridges.

  8. Sometimes Bridge is not enough to circumvent traffic censorship. Traffic between Tor client and the entry relay can be peeked and analyzed even the palyload is encrypted.

    On such case, we need Bridges with pluggable transports support. pluggable transports obfuscate traffic between Tor client and the entry relay. Disguise the Tor traffic as normal.

    It does NOT make any sense to run PT alone. It should be managed by applications that require TCP obfuscation.

  9. Use Tor not only to surf the Internet, but for other applications that support SOCKS5.


# echo "net-misc/tor transparent-proxy
# emerge net-misc/tor
# rc-service tor start
# rc-update add tor default

Configuration - /etc/tor/torrc

Refer to /etc/tor/torrc.sample and man tor.

  1. Basics

    User tor
    PIDFile /var/run/tor/tor.pid
    Log notice syslog
    DataDirectory /var/lib/tor/data
    AvoidDiskWrites 1
    DirReqStatistics 0
  2. Frontend proxy

    Tor is blocked by GFW. We add a frontend proxy to Tor bypassing GFW. This proxy server will be inserted between localhost and Tor entry relay.

    This post uses ss - a SOCKS5 proxy.


    Application -> Tor -> frontend proxy -> entry relay -> intermediate rely -> exit relay -> destination host.

    Traffic between application and exit relay is encrypted. Localhost IP is plain between application and frontend proxy.

    Though frontend proxy knows your IP but the traffic is encrypted! Exit relays and destination host know your traffic but does not know your real IP. What's more, if you visit destination host by https, then exit relay only knows encrypted https traffic.


  3. Bridges with PT

    Without PT protocol:

    local app -> local Tor client -> Bridges Tor client/server -> destitionation site

    With PT protocol:

    local app -> local Tor client -> local PT protocol client -> Brdiges PT protocol server -> Bridges Tor server -> destitionation host

    There are different pluggable transports, namely obfs1/2/3, scramblesuit, meek, obfs4 etc. Currently, obfs4 is best and next comes meek while the others can be blocked as well. get bridges tells how to obtain bridge address (usually 3 is enough).

    To use pluggable transports, we should install the client first. The server is running at Bridges. Package net-proxy/obfsproxy (written with Python) supports managed, obfs2, dummy, obfs3, scramblesuit, b64. Unfortunately, it does not support obfs4 or meek.

    We need obfs4proxy that implements the obfuscation protocols obfs2, obfs3, scrambleSuit (client only), meek (client only) and obfs4.

    There is no ebuild available. I have written one in local overlay. But there are simpler way. Unlike Python script net-proxy/obfsproxy, obfs4proxy is just a binary executable. We can 1) copy the binary from official Tor browser (tor-browser_en-US/Browser/TorBrowser/Tor/PluggableTransports/); 2) build one manually.

    Manually compilation is easy! obfs4proxy is written by Go language. From README, there are 6 build-time dedpencies. Only dev-lang/go should be installed while the other 5 will be cloned (by dev-vcs/git) automatically on the fly. We can compile in a normal user account.

    The local compile process won't impact portage system as long as GOPATH is confined to somewhere like ~/workspace/go. Everything goes to GOPATH during the whole compiling process.

    Generally, three directories will created under GOPATH, namely ${GOPATH}/src (downloaded source code), ${GOPATH}/bin (binary obfs4proxy), ${GOPATH}/pkg (build-time Go pkgs). Finally cp $GOPATH/bin/obfs4proxy /usr/local/bin.

    The 6 dependencies are all built-time ones. dev-lang/go will be removed on next emerge –depclean. For the other 5, remove ${GOPATH}/src and ${GOPATH}/pkg.

    # emerge -avt [--oneshot] dev-lang/go
    $ export GOPATH=~/workspace/obfs4proxy
    $ go help get/install/build
    $ go get -v -x -work git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy
    # copy $GOPATH/bin/obfs4proxy /usr/local/bin
    # chmod +x /usr/local/bin/obfs4proxy
    # obfs4proxy --version
    # emerge -avc dev-lang/go
    $ rm -r $GOPATH
    $ unset GOPATH

    That's all. An interesting notice: the Github/Gitweb repository name is obfs4 but the finally binary is obfs4proxy. Also the compiling entry point is also obfs4.git/obfs4proxy which will depend on others like obfs4.git/transports etc. obfs4 repository implements different pluggable transports and output binary obfs4proxy.

    Now update Tor config:

    UseBridges 1
    Bridge obfs3 ...
    Bridge scramblesuit ...
    Bridge obfs4 ...
    ClientTransportPlugin obfs3,scramblesuit, obfs4 exec /usr/local/bin/obfs4proxy --enableLogging
    UpdateBridgesFromAuthority 1

    Test bridges speed on Atlas. Finally send HUP singal to Tor service killall -s HUP tor!

    If Atlas fails to find the bridges, congratulations, this is a brand new bridge and unlikely censorsed.

    Actually by some special configuration, obfs4proxy can be used to obfuscate any other TCP traffic. Refer to ptproxy and 你混淆了.


    1. meek ebuid
    2. meek doc
    3. obfs4proxy ebuild
    4. obfs4proxy doc
  4. Stream isolation

    Isolate different applications by Tor port. By default, Tor service listens on 9050 port for all traffic. We can open more Tor ports for different applications.

    For example, web browser and instant messanger should better connect to Tor ports.

    # web browser
    # gpg client
    # instant messenger
  5. ExcludeNodes

    Tor relies on routing relay. There are also malicious relays set by attacker/countries to analyze Tor traffic.

    Tell Tor not to use those relays:

    ExcludeNodes {cn},{hk},{mo}
    strictnodes 1

    Others are kp ir sy pk cu vn.

  6. TorDNS

    Though Tor + frontend proxy is secure enough to hide your surfing track, DNS server still knows where you connect. So we further hide the DNS resolving process.

    ATTENTION: even you choose not to use Tor surfing the Internet, you can always use TorDNS resolver. That is why I add tor to default run level.

    1. Turn on TorDNS

      DNSPort 9053
      AutomapHostsOnResolve 1
      AutomapHostsSuffixes .exit,.onion

      The 3rd line VirtualAddrNetworkIPv4 is very important! Otherwise, some applications cannot resolve (TorDNS) or connect to (Transparent proxy discussed below) .onion .exit address.

      Now TorDNS is listening at port 9053 as a DNS server. We can make use of tor-resolve to query DNS.

    2. TorDNS command line tool.

      $ tor-resolve www.baidu.com

      It is possible to configure your system, if so desired, to use TorDNS for all queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination.

    3. [optinal] Change nameserver

      # /etc/resolv.conf
      1. If DNSListenAddress is set to, then any host IP (including is OK.
      2. This step is optional due to the REDIRECT/DNAT rule in the next step.
    4. Redirect DNS request to DNSPort

      By default, DNS resolving goes to port 53. DNS queries will go to instead of DNSPort 9053. So need to redirect DNS queries from port 53 to 9053.

      # iptables -t nat -A OUTPUT -p TCP --dport 53 -j REDIRECT --to-ports 9053
      # iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination

      A far better solution is setting DNSPort 53 and such no REDIRECT needed. Binding to low ports (53 less than 1024) need root privilege. If you send HUP signal to Tor daemone, it crashes.

      On system startup (OpenRC init script) or daemon restart (rc-service), Tor is ran as root and binding to low port 53 is fine. After start, Tor downgrades to tor account and drop root privileges. You can check this by ps -ef | grep -i tor. A tor user account is created after package installation. So Tor does not need to run as root.

      After dropping the privileges, reloading config will try to bind to low port 53 again. But this time, Tor crashes due permission. So if binding to low port, we can only restart Tor as root instead of HUP signal.

    5. Disable Dhcpcd's resolve.conf hook, otherwise it will override /etc/resolv.conf file on startup.

      # /etc/dhcpcd.conf
      nohook resolv.conf

      Another obvious method is to remove /lib/dhcpcd/dhcpcd-hooks/20-resolv.conf file.

    6. Now all DNS request on system will use TorDNS.

      Try ping www.google.com

  7. torify - command line tool

    torify will allow application traffic flows via the Tor network without any extra application configuration changes. To use torify, there must be a underlying SOCKS wrapper, i.e. tsocks (almost dead), torsocks etc.

    Force traffic through Tor on demand in terminal, i.e. $ usewithtor emacs or $ torsocks emacs or $ torify emacs.

    Application like Firefox configures their proxy settings to use Tor proxy. But it's annoying to configure each application to use Tor. What's worse, some application even does NOT allow proxy like Bitorrent, wget, apt-get, gpg, etc.

    This is where torify plays a role: force applications to use proxy. Applications utilize Tor transparently.

    # emerge -av net-proxy/torsocks
    $ torify wget -qO- https://check.torproject.org/ | grep -i congratulations
    $ wget -qO- https://check.torproject.org/ | grep -i congratulations

    It calls torsocks wrapper with a tor specific configuration file (/etc/torsocks.conf). Compare the output between torify and without torify.

    Refer to torify howto and torsocks.

  8. torsocks - more

    In previous step, torify make use of torsocks to force application traffic through Tor SOCKS5. torify calls torsocks with the default configuration file /etc/torsocks.conf in which the default port is 9050 - Tor's default SocksPort! There are other arguments like server address, socks type etc.

    To use torsocks directly, just replace torify with usewithtor or torsocks.

    $ usewithtor wget -qO- https://check.torproject.org/ | grep -i congratulations.

    It seems that torsocks only supports Tor SOCKS. If I change /etc/torsocks.conf to use Shadowsocks, it does not work.

    It's recommended to use proxychains instead.

  9. Transparent proxy

    configuration might be DEPCRECATED, please refer to lastest config file.

    Though torify and torsocks force traffic through Tor netowrk without bothering configurating applications, they can only executed on command line. With transparent proxy setting, all non-Tor owned traffic will be redirected to Tor's TransPort with command line interfence or application configuration.

    Tor alone cannot achieve transparent proxy without support from Linux kernel's netfilter functionality which is the core of Link firewall - Iptables.

    SocksPort and DNSPort are Tor owned traffic. The former is Tor's TCP traffic while the later is a special case - UDP traffic. Now Iptables will redirect all non-Tor traffic to TransPort.

    Once in place, applications do not need to be configured to use Tor, though Tor's SocksPort will still work. This also works for DNS via Tor's DNSPort, but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection.

    1. Enable Tor's transparent proxy functionality.

      TransPort 9040
    2. Enable NETFILTER_ADVANCED and XT_MATCH_OWNER kernel option first.

      advanced netfiler configuration netfilter_advanced
        <*>   "owner" match support xt_match_owner

      Without these two kernel support, iptables won't recognize -m owner match.

    3. Redirect non-Tor traffic to transparent proxy

      # iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner tor -j DNAT --to-destination
      # rc-service iptables save

      After the setting, all traffic is owned by Tor.

    4. Pay attention to:
      1. -p tcp must accompany --dport since only TCP layer has a port number.
      2. -p tcp actually implied implicit arguments -m tcp which is followed by --dport.
    5. Turn off Foxyproxy of Firefox, since no longer needed!
    6. coarse-grained: all non-Tor traffic goes through Tor now.

      A fine-grained setting is turn on transparent proxy, use user-defined chain to control in detail which concrete outgoing traffic uses transparent proxy on demand. More on transparent proxy, refer to post iptables.

  10. Disable non-Tor traffic - an alternative.

    Another extreme way is to disable non-Tor traffic completely.

    # iptables -P OUTPUT DROP
    # iptables -A OUTPUT -i lo -j ACCEPT
    # iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
    # iptables -P INPUT DROP
    # iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    # iptables -I INPUT -s -d -j ACCEPT
  11. Choose one of the three shceme on security requirement. In daily usage, torify and/or torsocks suffices.
  12. Restart Tor service
   # rc-service tor restart

Firefox setting

  1. The main usage of Tor resides in WWW surfing. First make sure foxproxy extension is installed.

    I have configured foxproxy for ss previously.

  2. In foxproxy, Add New Proxy.

    Proxy Name: tor-ss
      Perform remote DNS lookups on hostnames ...
    Host or IP Address: Port: 9050
    SOCKS proxy SOCKS v5
    1. Remember to place the Tor proxy at the beggining of proxy list - highest proxy priority!
    2. Now Firefox has two proxies to choose from.
    3. Tick Perform remote DNS lookups …
  3. about:config

    network.proxy.socks_remote_dns    true
    network.dns.disablePrefetch       true
    network.dns.disableIPv6           true

    This way Firefox will resolve host names via Tor proxy DNS resolver (i.e. ss also support DNS resolving. Talked laster), which prevents DNS leaks.

    The first item is the key to use TorDNS.



  1. As we add a frontend proxy to Tor, it should launch before Tor working.
  2. All DNS lookups on system are through Tor. If application failed to resolve hostnames, check if Tor is running.


Any applications that support SOCKS5 proxy can make use of Tor service.

In its proxy setting, fill socks5 server to and port to one of the stream isolation port number.

For those do NOT support proxy or Tor, refer to transparent proxy above.


Up to now, Firefox has two SOCKS5 proxy servers Tor and ss to choose from. You can choose either one or both simultaneously through foxproxy extension.

  1. ss for all URLs

    Use ss proxy surfing the Internet.

  2. Tor alone

    Use Tor surfing the Internet. However, Tor is blocked by GFW making this method infeasible.

  3. Simutaneously

    That's how Tor is commonly used: support from frontend proxy. Recall that we add SocksProxy in Tor's configuration to enable ss frontend proxy.

    When choosing tor for all URLs in foxproxy, Firefox actually use Tor + ss concurrently.

  4. Of course, we can choose use proxies based on their pre-defined patterns and priorities in foxproxy.


The popular wget utility cannot talk to socks proxy. However, you can use the tor network to download any resource located at a given URL and save it in a FILE using curl:

$ curl --socks5-hostname -o FILE URL

DNS resolving

As discussed above, the system is configured to use TorDNS resolver preventing DNS lookup leaks. All DNS requests are redirecting to TorDNS by iptables.

Try to rc-service tor stop, then the system cannot resolve DNS anymore as TorDNS is down!


  1. Don't use Tor to sign in Email/forum. The purpose of Tor is hiding traffic tack. Email, forum etc systems can analyze your traffic. No matter which method you use for connection, final interaction with sign in system is plain text.
  2. 关于深网



    而今天我们这个引路人就是Tor(The Onion Router),直译过来为“洋葱路由”。既然已经通过 Tor 打开了“深网”的大门,那么让我们就将其一窥究竟,因为广大的深网网站都无法被搜索引擎收录,所以我们必须要找到一个收录各类深网网站的索引站点,“Hidden Wiki”就是其中较为出名的一个,它收录了各类深网网站地址。

  3. Hidden wiki:
    1. http://zqktlwi4fecvo6ri.onion/wiki/
    2. http://torlinkbgs6aabns.onion/
    3. http://wikitjerrta4qgz4.onion/
    4. http://jh32yv5zgayyyts3.onion/


  1. gentoo wiki
  2. gentoo-en
  3. arch wiki
  4. cn link1
  5. cn link2