Skip to content
Snippets Groups Projects
Select Git revision
  • 8a78885644a3b81250b5f59fb64a1fad40ac3fd4
  • main default protected
  • develop
  • feature/ontour
  • eidas
5 results

2020-12-tor-socks-proxy.html

Blame
    • Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    2020-12-tor-socks-proxy.html 7.05 KiB 
    <html lang="en">
<head>
	<title>Install a Tor Socks Proxy - Paul Lackner</title>
	<link rel="stylesheet" href="../style.css">
        <link rel="alternate" type="application/atom+xml" href="lithilion-blog.rss">
	<meta charset="utf-8">
	<link type="text/plain" rel="author" href="../humans.txt" />
	<meta name="keywords" content="Tor, socks, proxy, bridge">
	<meta name="description" content="A guide to install and host a Tor Socks proxy">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
	<nav>
		<a class="tablink" href="../index.html">Startseite</a>
		<a class="tablink" href="../leistungen.html">Leistungen</a>
		<a class="tablink" href="../blog.html">Blog</a>
		<a class="tablink" rel=”nofollow” href="../rechtliches.html">Rechtliches</a>
	</nav>

	<div class="tabcontent">
	<div>
		<h1>Install a Tor Socks Proxy</h1> 
<p>
Tor supports the use as a <a href="https://en.wikipedia.org/wiki/SOCKS" target="_blank">SOCKS</a> proxy. This means all traffic is redirected to this proxy and then send through the Tor network. Beware, this does not guarantee anonymity, because of other factors of fingerprinting (e.g. browser fingerprints, fonts, cookies, system patch versions, etc.). Also <strong>Tor does not support UDP</strong> (voice, streams, torrents, VPN, etc.) , which may either result in UDP traffic not working or not getting routed through Tor.
<a href="https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea" target="_blank">Bittorrent over Tor isn&#039;t a good idea</a>
</p>


<h2>Relay or bridge?</h2>

<p>
When configuring a SOCKS proxy, it does not matter whether you have a relay or a bridge; both work. Running a relay is recommended and can help to disguise your normal traffic but is not always possible (some sites can block your internet access when running a relay in the home network). When the only purpose of this proxy is to put most of the traffic into tor a private bridge is also fine. (Actually there is no need to open the OR-Port in the firewall to run a private bridge, although you have to configure one in the torrc.) More information about relays and bridges see <a href="https://community.torproject.org/relay/types-of-relays/" target="_blank">here</a>.
</p>

<h2>Private bridge</h2>

<p>
When configuring a Tor node as a private SOCKS proxy, you can configure the node as a private bridge. To do this, you simply need to uncomment this: 
</p>
<pre>PublishServerDescriptor 0</pre>

<p>
Also consider hiding your ORPort and DirPort. You must configure an ORPort and DirPort to make the Tor node running, but you don&#039;t need to make it reachable. So either configure your (local) firewall to drop/reject requests to the port or simply don&#039;t configure a port forwarding on your home router. Tor will drop error notices like
</p>
<pre>DATE [warn] Your server (IP:PORT) has not managed to confirm that its ORPort is reachable. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.</pre>

<p>
but it will still work. The only effect of this event is, that your bridge will not be accessible via <a href="https://metrics.torproject.org/" target="_blank">Tor Metrics</a>.
</p>


<h2>SOCKS Configuration</h2>

<p>
In the torrc, you can configure multiple ports for SOCKS to listen to, one for the localhost and one per IP address.
</p>
<pre>SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
SOCKSPort 192.168.1.1:9100 # Bind to this address:port too.</pre>

<p>
Then, you need to define the nets that are allowed to connect to your SOCKS proxy. This can be your home network. You can accept multiple nets. Be sure to close the list with a reject all.
</p>
<pre>SOCKSPolicy accept 192.168.1.0/24
SOCKSPolicy reject *</pre>


<h2>PAC (Proxy Auto-Configuration)</h2>

<p>
Many clients do not support direct SOCKS proxy configuration (some browser are an exception) but only have the option for <strong>manual</strong> or <strong>automatic</strong> configuration. Manual configuration only creates a HTTP proxy connection, we need an automatic configuration.