Tor - Anonymity Online

All ip[6]tables commands now should be converted into /var/lib/ip[6]tables/rules-save and use ip[6]tables-apply instead. Refer to post iptables.

ABCs

1. Tor - the onion router - mainly devotes to hide your Internet identity.
2. Tor prevents people from learning your location or browsing habits.
3. Tor is for web browsers, instant messaging clients, and more.
4. Tor aims at outbound traffic.

How

1. Tor periodically chooes different encryption routing relays. Exit relay's IP is your Tor IP.
2. Tor needs a centralized directory host to receve a list of relays on which Tor builds Tor circuit/route.
3. Tor traffic is NOT encrypted between exit relay and destination host. But that does not impact anonymoity online.
4. Tor is blocked:
   1. Block the directory host;
   2. Block the handshake process by itself fingerprints of Tor traffic between Tor client and the entry relay;
   3. Block intermediate relys;
   4. Malicious relays (honey pots).

   To solve the issue:

   1. Front end proxy;
   2. Tor Bridge;
   3. Tor Bridge and PT (Pluggable Transports) protocol.

5. Add a frontend proxy (Lantern for instance) to Tor. Frontend proxy bypasses censorship while Tor hide your Internet track. The frontend proxy must support SOCKS protocol by itself. GAE does NOT support SOCKS itself, so cannot be a frontend proxy.

   In this post, I use ss (also a SOCKS5) as the frontend proxy.

6. On startup, Tor access the directory host to get a list of relays. But the replays there are public to everyone, prone to blocking. By specifing private relay - Bridges in configuration file, Tor build circuits based on them.

7. Do NOT enable Front end proxy and Bridges simutaneously, otherwise Tor would not work!

   Mostly, I use Frontend proxy: mutliple proxies more secure. But for public Wi-Fi, we'd better use Bridges.

8. Sometimes Bridge is not enough to circumvent traffic censorship. Traffic between Tor client and the entry relay can be peeked and analyzed even the palyload is encrypted.

   On such case, we need Bridges with pluggable transports support. pluggable transports obfuscate traffic between Tor client and the entry relay. Disguise the Tor traffic as normal.

   It does NOT make any sense to run PT alone. It should be managed by applications that require TCP obfuscation.

9. Use Tor not only to surf the Internet, but for other applications that support SOCKS5.

Installation

# echo "net-misc/tor transparent-proxy
# emerge net-misc/tor
# rc-service tor start
# rc-update add tor default

Configuration - /etc/tor/torrc

Refer to /etc/tor/torrc.sample and man tor.

1. Basics

   User tor
   PIDFile /var/run/tor/tor.pid
   Log notice syslog
   DataDirectory /var/lib/tor/data
   AvoidDiskWrites 1
   DirReqStatistics 0
   

2. Frontend proxy

   Tor is blocked by GFW. We add a frontend proxy to Tor bypassing GFW. This proxy server will be inserted between localhost and Tor entry relay.

   This post uses ss - a SOCKS5 proxy.

   Socks5Proxy 127.0.0.1:1080
   

   Application -> Tor -> frontend proxy -> entry relay -> intermediate rely -> exit relay -> destination host.

   Traffic between application and exit relay is encrypted. Localhost IP is plain between application and frontend proxy.

   Though frontend proxy knows your IP but the traffic is encrypted! Exit relays and destination host know your traffic but does not know your real IP. What's more, if you visit destination host by https, then exit relay only knows encrypted https traffic.

   Bingo!

3. Bridges with PT

   Without PT protocol:

   local app -> local Tor client -> Bridges Tor client/server -> destitionation site

   With PT protocol:

   local app -> local Tor client -> local PT protocol client -> Brdiges PT protocol server -> Bridges Tor server -> destitionation host

   There are different pluggable transports, namely obfs1/2/3, scramblesuit, meek, obfs4 etc. Currently, obfs4 is best and next comes meek while the others can be blocked as well. get bridges tells how to obtain bridge address (usually 3 is enough).

   To use pluggable transports, we should install the client first. The server is running at Bridges. Package net-proxy/obfsproxy (written with Python) supports managed, obfs2, dummy, obfs3, scramblesuit, b64. Unfortunately, it does not support obfs4 or meek.

   We need obfs4proxy that implements the obfuscation protocols obfs2, obfs3, scrambleSuit (client only), meek (client only) and obfs4.

   There is no ebuild available. I have written one in local overlay. But there are simpler way. Unlike Python script net-proxy/obfsproxy, obfs4proxy is just a binary executable. We can 1) copy the binary from official Tor browser (tor-browser_en-US/Browser/TorBrowser/Tor/PluggableTransports/); 2) build one manually.

   Manually compilation is easy! obfs4proxy is written by Go language. From README, there are 6 build-time dedpencies. Only dev-lang/go should be installed while the other 5 will be cloned (by dev-vcs/git) automatically on the fly. We can compile in a normal user account.

   The local compile process won't impact portage system as long as GOPATH is confined to somewhere like ~/workspace/go. Everything goes to GOPATH during the whole compiling process.

   Generally, three directories will created under GOPATH, namely ${GOPATH}/src (downloaded source code), ${GOPATH}/bin (binary obfs4proxy), ${GOPATH}/pkg (build-time Go pkgs). Finally cp $GOPATH/bin/obfs4proxy /usr/local/bin.

   The 6 dependencies are all built-time ones. dev-lang/go will be removed on next emerge –depclean. For the other 5, remove ${GOPATH}/src and ${GOPATH}/pkg.

   # emerge -avt [--oneshot] dev-lang/go
   $ export GOPATH=~/workspace/obfs4proxy
   $ go help get/install/build
   $ go get -v -x -work git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy
   # copy $GOPATH/bin/obfs4proxy /usr/local/bin
   # chmod +x /usr/local/bin/obfs4proxy
   # obfs4proxy --version
   # emerge -avc dev-lang/go
   $ rm -r $GOPATH
   $ unset GOPATH
   

   That's all. An interesting notice: the Github/Gitweb repository name is obfs4 but the finally binary is obfs4proxy. Also the compiling entry point is also obfs4.git/obfs4proxy which will depend on others like obfs4.git/transports etc. obfs4 repository implements different pluggable transports and output binary obfs4proxy.

   Now update Tor config:

   UseBridges 1
   Bridge obfs3 ...
   Bridge scramblesuit ...
   Bridge obfs4 ...
   ClientTransportPlugin obfs3,scramblesuit, obfs4 exec /usr/local/bin/obfs4proxy --enableLogging
   UpdateBridgesFromAuthority 1
   

   Test bridges speed on Atlas. Finally send HUP singal to Tor service killall -s HUP tor!

   If Atlas fails to find the bridges, congratulations, this is a brand new bridge and unlikely censorsed.

   Actually by some special configuration, obfs4proxy can be used to obfuscate any other TCP traffic. Refer to ptproxy and 你混淆了.

   Ref:

   1. meek ebuid
   2. meek doc
   3. obfs4proxy ebuild
   4. obfs4proxy doc

4. Stream isolation

   Isolate different applications by Tor port. By default, Tor service listens on 9050 port for all traffic. We can open more Tor ports for different applications.

   For example, web browser and instant messanger should better connect to Tor ports.

   # web browser
   SocksPort 127.0.0.1:9050
   # gpg client
   SocksPort 127.0.0.1:9100
   # instant messenger
   SocksPort 127.0.0.1:9150
   

5. ExcludeNodes

   Tor relies on routing relay. There are also malicious relays set by attacker/countries to analyze Tor traffic.

   Tell Tor not to use those relays:

   ExcludeNodes {cn},{hk},{mo}
   strictnodes 1
   

   Others are kp ir sy pk cu vn.

6. TorDNS

   Though Tor + frontend proxy is secure enough to hide your surfing track, DNS server still knows where you connect. So we further hide the DNS resolving process.

   ATTENTION: even you choose not to use Tor surfing the Internet, you can always use TorDNS resolver. That is why I add tor to default run level.

   1. Turn on TorDNS

      DNSPort 9053
      DNSListenAddress 127.0.0.1
      VirtualAddrNetworkIPv4 10.192.0.0/10
      AutomapHostsOnResolve 1
      AutomapHostsSuffixes .exit,.onion
      

      The 3rd line VirtualAddrNetworkIPv4 10.192.0.0/10 is very important! Otherwise, some applications cannot resolve (TorDNS) or connect to (Transparent proxy discussed below) .onion .exit address.

      Now TorDNS is listening at port 9053 as a DNS server. We can make use of tor-resolve to query DNS.

   2. TorDNS command line tool.

      $ tor-resolve www.baidu.com
      

      It is possible to configure your system, if so desired, to use TorDNS for all queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination.

   3. [optinal] Change nameserver

      # /etc/resolv.conf
      nameserver 127.0.0.1
      

      1. If DNSListenAddress is set to 0.0.0.0, then any host IP (including 127.0.0.1) is OK.
      2. This step is optional due to the REDIRECT/DNAT rule in the next step.

   4. Redirect DNS request to DNSPort

      By default, DNS resolving goes to port 53. DNS queries will go to 127.0.0.1:53 instead of DNSPort 9053. So need to redirect DNS queries from port 53 to 9053.

      # iptables -t nat -A OUTPUT -p TCP --dport 53 -j REDIRECT --to-ports 9053
      # iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053
      

      A far better solution is setting DNSPort 53 and such no REDIRECT needed. Binding to low ports (53 less than 1024) need root privilege. If you send HUP signal to Tor daemone, it crashes.

      On system startup (OpenRC init script) or daemon restart (rc-service), Tor is ran as root and binding to low port 53 is fine. After start, Tor downgrades to tor account and drop root privileges. You can check this by ps -ef | grep -i tor. A tor user account is created after package installation. So Tor does not need to run as root.

      After dropping the privileges, reloading config will try to bind to low port 53 again. But this time, Tor crashes due permission. So if binding to low port, we can only restart Tor as root instead of HUP signal.

   5. Disable Dhcpcd's resolve.conf hook, otherwise it will override /etc/resolv.conf file on startup.

      # /etc/dhcpcd.conf
      nohook resolv.conf
      

      Another obvious method is to remove /lib/dhcpcd/dhcpcd-hooks/20-resolv.conf file.

   6. Now all DNS request on system will use TorDNS.

      Try ping www.google.com

7. torify - command line tool

   torify will allow application traffic flows via the Tor network without any extra application configuration changes. To use torify, there must be a underlying SOCKS wrapper, i.e. tsocks (almost dead), torsocks etc.

   Force traffic through Tor on demand in terminal, i.e. $ usewithtor emacs or $ torsocks emacs or $ torify emacs.

   Application like Firefox configures their proxy settings to use Tor proxy. But it's annoying to configure each application to use Tor. What's worse, some application even does NOT allow proxy like Bitorrent, wget, apt-get, gpg, etc.

   This is where torify plays a role: force applications to use proxy. Applications utilize Tor transparently.

   # emerge -av net-proxy/torsocks
   
   $ torify wget -qO- https://check.torproject.org/ | grep -i congratulations
   $ wget -qO- https://check.torproject.org/ | grep -i congratulations
   

   It calls torsocks wrapper with a tor specific configuration file (/etc/torsocks.conf). Compare the output between torify and without torify.

   Refer to torify howto and torsocks.

8. torsocks - more

   In previous step, torify make use of torsocks to force application traffic through Tor SOCKS5. torify calls torsocks with the default configuration file /etc/torsocks.conf in which the default port is 9050 - Tor's default SocksPort! There are other arguments like server address, socks type etc.

   To use torsocks directly, just replace torify with usewithtor or torsocks.

   $ usewithtor wget -qO- https://check.torproject.org/ | grep -i congratulations.

   It seems that torsocks only supports Tor SOCKS. If I change /etc/torsocks.conf to use Shadowsocks, it does not work.

   It's recommended to use proxychains instead.

9. Transparent proxy

   configuration might be DEPCRECATED, please refer to lastest config file.

   Though torify and torsocks force traffic through Tor netowrk without bothering configurating applications, they can only executed on command line. With transparent proxy setting, all non-Tor owned traffic will be redirected to Tor's TransPort with command line interfence or application configuration.

   Tor alone cannot achieve transparent proxy without support from Linux kernel's netfilter functionality which is the core of Link firewall - Iptables.

   SocksPort and DNSPort are Tor owned traffic. The former is Tor's TCP traffic while the later is a special case - UDP traffic. Now Iptables will redirect all non-Tor traffic to TransPort.

   Once in place, applications do not need to be configured to use Tor, though Tor's SocksPort will still work. This also works for DNS via Tor's DNSPort, but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection.

   1. Enable Tor's transparent proxy functionality.

      TransPort 9040
      TransListenAddress 127.0.0.1
      

   2. Enable NETFILTER_ADVANCED and XT_MATCH_OWNER kernel option first.

      advanced netfiler configuration netfilter_advanced
        <*>   "owner" match support xt_match_owner
      

      Without these two kernel support, iptables won't recognize -m owner match.

   3. Redirect non-Tor traffic to transparent proxy

      # iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040
      # rc-service iptables save
      

      After the setting, all traffic is owned by Tor.

   4. Pay attention to:
      1. -p tcp must accompany --dport since only TCP layer has a port number.
      2. -p tcp actually implied implicit arguments -m tcp which is followed by --dport.
   5. Turn off Foxyproxy of Firefox, since no longer needed!

   6. coarse-grained: all non-Tor traffic goes through Tor now.

      A fine-grained setting is turn on transparent proxy, use user-defined chain to control in detail which concrete outgoing traffic uses transparent proxy on demand. More on transparent proxy, refer to post iptables.

10. Disable non-Tor traffic - an alternative.

    Another extreme way is to disable non-Tor traffic completely.

    # iptables -P OUTPUT DROP
    # iptables -A OUTPUT -i lo -j ACCEPT
    # iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
    # iptables -P INPUT DROP
    # iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    # iptables -I INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    

11. Choose one of the three shceme on security requirement. In daily usage, torify and/or torsocks suffices.
12. Restart Tor service

   # rc-service tor restart

Firefox setting

1. The main usage of Tor resides in WWW surfing. First make sure foxproxy extension is installed.

   I have configured foxproxy for ss previously.

2. In foxproxy, Add New Proxy.

   Proxy Name: tor-ss
     Perform remote DNS lookups on hostnames ...
   
   Host or IP Address: 127.0.0.1 Port: 9050
   SOCKS proxy SOCKS v5
   

   1. Remember to place the Tor proxy at the beggining of proxy list - highest proxy priority!
   2. Now Firefox has two proxies to choose from.
   3. Tick Perform remote DNS lookups …

3. about:config

   network.proxy.socks_remote_dns    true
   network.dns.disablePrefetch       true
   network.dns.disableIPv6           true
   

   This way Firefox will resolve host names via Tor proxy DNS resolver (i.e. ss also support DNS resolving. Talked laster), which prevents DNS leaks.

   The first item is the key to use TorDNS.

Usage

Prerequisite

1. As we add a frontend proxy to Tor, it should launch before Tor working.
2. All DNS lookups on system are through Tor. If application failed to resolve hostnames, check if Tor is running.

Applications.

Any applications that support SOCKS5 proxy can make use of Tor service.

In its proxy setting, fill socks5 server to 127.0.0.1 and port to one of the stream isolation port number.

For those do NOT support proxy or Tor, refer to transparent proxy above.

Firefox

Up to now, Firefox has two SOCKS5 proxy servers Tor and ss to choose from. You can choose either one or both simultaneously through foxproxy extension.

1. ss for all URLs

   Use ss proxy surfing the Internet.

2. Tor alone

   Use Tor surfing the Internet. However, Tor is blocked by GFW making this method infeasible.

3. Simutaneously

   That's how Tor is commonly used: support from frontend proxy. Recall that we add SocksProxy in Tor's configuration to enable ss frontend proxy.

   When choosing tor for all URLs in foxproxy, Firefox actually use Tor + ss concurrently.

4. Of course, we can choose use proxies based on their pre-defined patterns and priorities in foxproxy.

curl

The popular wget utility cannot talk to socks proxy. However, you can use the tor network to download any resource located at a given URL and save it in a FILE using curl:

$ curl --socks5-hostname 127.0.0.1:9050 -o FILE URL

DNS resolving

As discussed above, the system is configured to use TorDNS resolver preventing DNS lookup leaks. All DNS requests are redirecting to TorDNS by iptables.

Try to rc-service tor stop, then the system cannot resolve DNS anymore as TorDNS is down!

Tips

1. Don't use Tor to sign in Email/forum. The purpose of Tor is hiding traffic tack. Email, forum etc systems can analyze your traffic. No matter which method you use for connection, final interaction with sign in system is plain text.

2. 关于深网

   深网用户通过特殊的技术手段隐匿用户信息（如IP地址等）登陆“深网”以后，就能完全脱离世间法律或NSA（美国国家安全局）等政府管制力量的钳制和监管，在那里，你可以通过网站肆意的购买枪支弹药，可以发布悬赏杀人的告示，可以购买冰毒和可卡因，可以随意浏览儿童色情网站，也可以办理各种假证伪造身份。仅有4%的网络数据是可以通过搜索引擎找到的，其他的都深藏在“深网”中。

   96%的网络数据都是无法用使用搜索引擎查找的，但这些网站的服务器实体可能分布在互联网管制薄弱的东欧国家，背后由深谙网络安全技术的黑客维护，多以.onion作为域名，采用特殊的加密机制，不能通过搜索引擎查找，即使知道域名也无法采用传统的HTTP方式直接访问，必须采用特殊手段才能接入，就好像只有游吟诗人维吉尔的引领，但丁才可以窥见Limbo里的曲径通幽处。

   而今天我们这个引路人就是Tor（The Onion Router），直译过来为“洋葱路由”。既然已经通过 Tor 打开了“深网”的大门，那么让我们就将其一窥究竟，因为广大的深网网站都无法被搜索引擎收录，所以我们必须要找到一个收录各类深网网站的索引站点，“Hidden Wiki”就是其中较为出名的一个，它收录了各类深网网站地址。

3. Hidden wiki:
   1. http://zqktlwi4fecvo6ri.onion/wiki/
   2. http://torlinkbgs6aabns.onion/
   3. http://wikitjerrta4qgz4.onion/
   4. http://jh32yv5zgayyyts3.onion/

Refs

1. gentoo wiki
2. gentoo-en
3. arch wiki
4. cn link1
5. cn link2