User Tools

Site Tools


public:tutorial:tor-socks

Install a TOR Socks Proxy

TOR supports the use as a SOCKS proxy. This means all traffic is redirected to this proxy and then send through the TOR network. Beware, this does not guarantee anonymity, because of other factors of fingerprinting (e.g. browser fingerprints, fonts, cookies, system patch versions, etc.). Also TOR does not support UDP (voice, streams, torrents, VPN, etc.) , which may either result in UDP traffic not working or not getting routed through TOR.

Relay or bridge?

When configuring a SOCKS proxy, it does not matter whether you have a relay or a bridge; both work. Running a relay is recommended and can help to disguise your normal traffic but is not always possible (some sites can block your internet access when running a relay in the home network). When the only purpose of this proxy is to put most of the traffic into tor a private bridge is also fine. (Actually there is no need to open the OR-Port in the firewall to run a private bridge, although you have to configure one in the torrc.) More information about relays and bridges see here.

Private bridge

When configuring a TOR node as a private SOCKS proxy, you can configure the node as a private bridge. To do this, you simply need to uncomment this:

PublishServerDescriptor 0

Also consider hiding your ORPort and DirPort. You must configure an ORPort and DirPort to make the TOR node running, but you don't need to make it reachable. So either configure your (local) firewall to drop/reject requests to the port or simply don't configure a port forwarding on your home router. TOR will drop error notices like

DATE [warn] Your server (IP:PORT) has not managed to confirm that its ORPort is reachable. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

but it will still work. The only effect of this event is, that your bridge will not be accessible via TOR Metrics.

SOCKS Configuration

In the torrc, you can configure multiple ports for SOCKS to listen to, one for the localhost and one per IP address.

SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
SOCKSPort 192.168.1.1:9100 # Bind to this address:port too.

Then, you need to define the nets that are allowed to connect to your SOCKS proxy. This can be your home network. You can accept multiple nets. Be sure to close the list with a reject all.

SOCKSPolicy accept 192.168.1.0/24
SOCKSPolicy reject *

PAC (Proxy Auto-Configuration)

Many clients do not support direct SOCKS proxy configuration (some browser are an exception) but only have the option for manual or automatic configuration. Manual configuration only creates a HTTP proxy connection, we need an automatic configuration.

Automatic proxy configuration requires a file published by a webserver, that can be reached by the client. The PAC file contains at least:

function FindProxyForURL(url, host)
{
    return "SOCKS PROXY_ADDRESS:PORT";
    // return "SOCKS proxy.example.com:9100";
    // return "SOCKS 192.168.1.1:9100";
}

The PAC file follows Javascript-style.
To make exceptions for entire nets or domains add the following:

function FindProxyForURL(url, host)
{
if (shExpMatch(host, "*.example.com"))
{
	return "DIRECT";
}

if (isInNet(host, "10.0.0.0", "255.255.248.0"))
{
	return "DIRECT";
}

  return "SOCKS proxy.example.com:9100";
}

Mozilla has a good explanation with examples for it.

Avoid reaching localhost via TOR

To avoid trying to reach local addresses over TOR some exceptions need to be configured in the PAC file. Try to except the hostnames as well as the subnet to make it properly working.

  if (isPlainHostName(host) || dnsDomainIs(host, ".segvault.space"))
  {
     return "DIRECT";
  }
  if (isInNet(host, "192.168.0.0", "255.255.0.0"))
  {
      return "DIRECT";
  }

Circuit Change

TOR Browser performs circuit changes every two hours and for every new tab. As far as the behaviour of the node could have been watched, the node (bridge or relay) establishes many circuits and assigns one to every device connected. The circuit changes happen automatically in periodic steps (~every 10-15 minutes). A manual circuit change triggered from a client device has not yet been discovered.

DNS through SOCKS/.onion look up from different browsers

To route DNS traffic also over the SOCKS proxy, be sure to have it configured as a SOCKS5 proxy. Also define the proxy in the PAC file to be a SOCKS5 proxy.

function FindProxyForURL(url, host)
{
  ...
  return "SOCKS5 proxy.example.com:9100";
}

Be aware that not all browsers understand the SOCKS5 definition. If your browser does not like SOCKS5, just try SOCKS. Then, unfortunately .onion links won't work in the standard, non-TOR browser.

Check connection

When installed correctly, you can check the connection at https://check.torproject.org.

More about TOR

public/tutorial/tor-socks.txt · Last modified: 2020/07/26 21:26 by lithilion