Tor

The maximum file descriptor number that can be opened by Tor can be set with in tor.service. Fast relays may want to increase this value.

If your computer is not running a web server, and you have not set , consider changing your to and/or your to . Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports and , other useful ports are , , 143 and . Ports below 1024 are privileged ports, so to use those, Tor must be run as root by setting User=root in tor.service and in .

You may wish to review the Tor documentation.

Most users will not need this. But some programs will ask you to open your Tor ControlPort so they get low-level access to your Tor node.

Via the ControlPort, other applications can change and monitor your Tor node, to modify your Tor configuration while Tor is running, or to get details about Tor network status and Tor circuits.

append to your file

ControlPort 9051

From Tor's control-spec.txt:

For security, the [Tor control] stream should not be accessible by untrusted parties.

So, for more security, we will restrict access to the ControlPort, either with a cookie file, or a control password, or both.

To your add

With cookie auth, access to your ControlPort is restricted by file permissions to your Tor cookie file, and to your Tor data directory.

With the configuration above, all users in the group have access to your Tor cookie file.

Add them to the user group.

Restart tor.service

Now user should have access to your Tor cookie file.

$ stat -c%a /var/lib/tor /var/lib/tor/control_auth_cookie

should print and .

Convert your password from plain-text to hash

and add that hash to your

HashedControlPassword your_hash

the bash history commands prevent your clear-text password from being written to your bash $HISTFILE

If some program needs access to your Tor ControlSocket, as in Unix Domain Socket, add the following to your :

Add the user who will run the program to the user group

Restart tor.service and relaunch the program.

To verify the status of the control sockets:

# stat -c%a /var/lib/tor /var/lib/tor/control_socket

should print and

To test your ControlPort, run with

$ echo -e 'PROTOCOLINFO\r\n' | nc 127.0.0.1 9051

To test your ControlSocket, run socat with

$ echo -e 'PROTOCOLINFO\r\n' | sudo -u user socat - UNIX-CLIENT:/var/lib/tor/control_socket

both commands should print

See Tor's control-spec.txt for more commands.

In this example the container will reside in /srv/container:

# mkdir /srv/container/tor-exit

Install the .

Install , tor and nyx as per systemd-nspawn#Create and boot a minimal Arch Linux container:

# pacstrap -K -ci /srv/container/tor-exit base tor nyx

Create directory if it does not exist:

# mkdir /var/lib/container

Symlink to register the container on the host, as per systemd-nspawn#Management:

# ln -s /srv/container/tor-exit /var/lib/container/tor-exit

Create a drop-in configuration file for the container:

creates a "macvlan" interface named  and assigns it to the container, see systemd-nspawn#Use a "macvlan" or "ipvlan" interface for details. This is advisable for security as it will allow you to give a private IP to the container, and it will not know what your machine's IP is. This can help obscure DNS requests.

per #Raise maximum number of open file descriptors.

Set up systemd-networkd according to your network in .

Start/enable systemd-nspawn@tor-exit.service.

Login to the container (see systemd-nspawn#machinectl):

# machinectl login tor-exit 

See systemd-nspawn#Root login fails if you cannot log in.

Start and enable . networkctl displays if is correctly configured.

See #Running a Tor server.

In Preferences > General > Network Settings > Settings... , select Manual proxy configuration and enter SOCKS host with port (SOCKS v5). To channel all DNS requests through TOR's socks proxy, also select Proxy DNS when using SOCKS v5.

You can simply run:

$ chromium --proxy-server="socks5://myproxy:8080" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE myproxy"

The --proxy-server="socks5://myproxy:8080" flag tells Chrome to send all and https:// URL requests through the SOCKS proxy server , using version 5 of the SOCKS protocol. The hostname for these URLs will be resolved by the proxy server, and not locally by Chrome.

The flag applies to URL loads only. There are other components of Chrome which may issue DNS resolves directly and hence bypass this proxy server. The most notable such component is the "DNS prefetcher". Hence if DNS prefetching is not disabled in Chrome then you will still see local DNS requests being issued by Chrome despite having specified a SOCKS v5 proxy server. Disabling DNS prefetching would solve this problem, however it is a fragile solution since one needs to be aware of all the areas in Chrome which issue raw DNS requests. To address this, the next flag, , is a catch-all to prevent Chrome from sending any DNS requests over the network. It says that all DNS resolves are to be simply mapped to the (invalid) address (think of it as ). The clause make an exception for "myproxy", because otherwise Chrome would be unable to resolve the address of the SOCKS proxy server itself, and all requests would necessarily fail with .

To prevent the WebRTC leak you can install the extension WebRTC Network Limiter.

The first thing to check when debugging is look at the Proxy tab on about:net-internals, and verify what the effective proxy settings are: chrome://net-internals/#proxy

Next, take a look at the DNS tab of to make sure Chrome is not issuing local DNS resolves:

Just as with Firefox, you can setup a fast switch for example through Proxy SwitchySharp.

Once installed enter in its configuration page. Under the tab Proxy Profiles add a new profile Tor, if ticked untick the option Use the same proxy server for all protocols, then add localhost as SOCKS Host, 9050 to the respective port and select SOCKS v5.

Optionally you can enable the quick switch under the General tab to be able to switch between normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.

See #Chromium

You can simply run:

$ torsocks luakit

Add following line to your file to set port on your as HTTP proxy:

HTTPTunnelPort 127.0.0.1:8118

Refer to Tor manual for further information.

The FoxyProxy add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port on , which is where Privoxy are running. These settings can be access under Add > Standard proxy type. Select a proxy label (e.g Tor) and enter the port and host into the HTTP Proxy and SSL Proxy fields. To check if Tor is functioning properly visit the Tor Check website and toggle Tor.

You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. ). To use SOCKS proxy directly, you can point your application at Tor (i.e. ). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.

You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to Accounts > Manage Accounts, select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:

Proxy type SOCKS5
Host 127.0.0.1
Port 9150

Note that some time in 2013 the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.

Libera Chat recommends connecting to directly. It also requires SASL to identify to NickServ during connection; see Irssi#Authenticating with SASL. Start irssi:

$ torsocks irssi

Set your identification to nickserv, which will be read when connecting. Supported mechanisms are ECDSA-NIST256P-CHALLENGE (see ecdsatool) and PLAIN. DH-BLOWFISH is not supported.

/sasl set network username password mechanism

Disable CTCP and DCC and set a different hostname to prevent information disclosure:

/ignore * CTCPS
/ignore * DCC
/set hostname fake_host

Connect to Libera Chat:

/connect -network network libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion

For more information check Accessing Libera.Chat Via Tor, Using SASL or IRC/SILC Wiki article.

A Tor bridge is a Tor relay that is not listed in the public Tor directory, thus making it possible for people to connect to the Tor network when governments or ISPs block all public Tor relays. Visit https://bridges.torproject.org/ for more information and instructions on how to get bridge addresses.

To run a Tor bridge, make your configuration file be just these four lines (also see Tor Project running a bridge):

SOCKSPort 0
ORPort 443
BridgeRelay 1
ExitRelay 0

This means that your machine will act as an entry node or forwarding relay and, unlike a bridge, it will be listed in the public Tor directory. Your IP address will be publicly visible in the Tor directory but the relay will only forward to other relays or Tor exit nodes, not directly to the internet.

To run a Tor relay, add the following options to the configuration file, you should at least share 20KiB/s:

Nickname tornickname
ORPort 9001                  # This TCP-Port has to be opened/forwarded in your Firewall
BandwidthRate 20 KB          # Throttle traffic to 20KB/s
BandwidthBurst 50 KB         # But allow bursts up to 50KB/s
ExitRelay 0                  # Disallow exits from your relay

Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read Tor Project - tips for running an exit node.

Using the , you can configure which services you wish to allow through your exit node.

Make the relay an exit relay:

ExitRelay 1

Allow all traffic:

ExitPolicy accept *:*

Allow only IRC ports 6660-6667 but nothing else to exit from node:

ExitPolicy accept *:6660-6667,reject *:*

By default, Tor will block certain ports. You can use the to override this, for example accepting NNTP:

ExitPolicy accept *:119

If you run a fast exit relay (+100Mbps) with and , the following configuration changes might serve as inspiration to setup Tor alongside iptables firewall, Haveged to increase system entropy and pdnsd as DNS cache. It is important to first read Configuring a Tor relay on Debian/Ubuntu.

To handle more than 8192 connections can be raised to 32768 as per Tor FAQ (Should I install Tor from my package manager, or build from source?).

/etc/systemd/system/tor.service.d/increase-file-limits.conf

[Service]
LimitNOFILE=32768

To successfully raise limit, you may also have to append the following:

Check if the (filedescriptor) limit is successfully raised with as the root user or and as the root user.

To bind Tor to privileged ports the service must be started as root. Please specify option in /etc/tor/torrc.

To listen on Port 80 and 443 the service need to be started as as described in #Start tor.service as root to bind Tor to privileged ports. Use the option in /etc/tor/torrc to properly reduce Tor’s privileges.

/etc/tor/torrc

SOCKSPort 0                                       ## Pure relay configuration without local socks proxy

Log notice stdout                                 ## Default Tor behavior

ControlPort 9051                                  ## For nyx connection
CookieAuthentication 1                            ## For nyx connection

ORPort 443                                        ## Service must be started as root

Address $IP                                       ## IP or FQDN
Nickname $NICKNAME                                ## Nickname displayed in [https://metrics.torproject.org/rs.html Tor Relay Search]

RelayBandwidthRate 500 Mbits                      ## bytes/KBytes/MBytes/GBytes/KBits/MBits/GBits
RelayBandwidthBurst 1000 MBits                    ## bytes/KBytes/MBytes/GBytes/KBits/MBits/GBits

ContactInfo $E-MAIL                               ## [https://gitlab.torproject.org/tpo/community/relays/-/issues/18 Tor Relay good practices] suggests an email

DirPort 80                                        ## Service must be started as root
DirPortFrontPage /etc/tor/tor-exit-notice.html    ## Original: [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]

MyFamily $($KEYID),$($KEYID)...                   ## Remember $ in front of keyid(s) ;)

ExitPolicy reject XXX.XXX.XXX.XXX/XX:*            ## Block domain of public IP in addition to std. exit policy

User tor                                          ## Return to tor user after service started as root to listen on privileged ports

DisableDebuggerAttachment 0                       ## For nyx connection

### Performance related options ###
AvoidDiskWrites 1                                 ## Reduce wear on SSD
DisableAllSwap 1                                  ## Service must be started as root
HardwareAccel 1                                   ## Look for OpenSSL hardware cryptographic support
NumCPUs 2                                         ## Only start two threads

This configuration is based on the Tor Manual.

Tor opens a socks proxy on port 9050 by default -- even if you do not configure one. Set if you plan to run Tor only as a relay, and not make any local application connections yourself.

changes logging to stdout, which is also the Tor default.

ControlPort 9051, and enables nyx to connect to Tor and display connections.

and  lets Tor listen on port 443 and 80 and  displays the tor-exit-notice.html on port 80.

should reflect your public IP and netmask, which can be obtained with the command , so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.

reduces disk writes and wear on SSD.
"will attempt to lock all current and future memory pages, so that memory cannot be paged out". 

If grep aes /proc/cpuinfo returns that your CPU supports AES instructions and returns that the module is loaded, you can specify HardwareAccel 1 which tries "to use built-in (static) crypto hardware acceleration when available", see https://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration.

, and require that you start the Tor service as as described in #Start tor.service as root to bind Tor to privileged ports. Use the option to properly reduce Tor’s privileges.

If ControlPort 9051 and is specified in /etc/tor/torrc, nyx can be started with . If you want to watch Tor connections in nyx must also be specified.

If you want to run as a different user than , read section #Set a Tor Control cookie file

Setup and learn to use iptables. Instead of being a Simple stateful firewall where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.

and  disables connection tracking in the  table.

is the default INPUT target and drops input traffic we do not specifically .

is the default FORWARD target and only relevant if the host is a normal router, not  when the host is an onion router.

is the default  target and allows all outgoing connections.

allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.

allow all incoming UDP connections because we do not use connection tracking.

allow ICMP.

allow incoming connections to the .

-A INPUT -p tcp --dport 80 -j ACCEPT allow incoming connections to the .

allows all connections on the loopback interface.

See Haveged to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see haveged - A simple entropy daemon and how-to-setup-additional-entropy-for-cloud-servers-using-haveged for documentation.

You can use pdnsd to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.

This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.

If your local DNS recursor is in some way censored or interferes with DNS queries, see Alternative DNS services for alternatives and add them in a seperate server-section in as per Pdnsd#DNS servers.

First check that tor.service started correctly either with the journal or by checking the unit status.

If there are no errors, one can run to ensure your relay is making connections. Do not be concerned if your new relay is slow at first; this is normal. After approximately 3 hours, your relay should be published and searchable on Relay Search.

It is possible to configure your system, if so desired, to use TorDNS for any A, AAAA and PTR queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the line in /etc/tor/torrc to show:

DNSPort 53

Alternatively, you can use a local caching DNS server, such as dnsmasq or pdnsd, which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up dnsmasq for this purpose. Note, if you are using NetworkManager you will need to add your configuration file to to the location outlined in NetworkManager#dnsmasq.

Change the tor setting to listen for the DNS request in port 9053 and install dnsmasq.

Modify its configuration file so that it contains:

These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now necessary to edit so that your system will query only the dnsmasq server.

Start the dnsmasq daemon.

Finally if you use dhcpcd you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:

If you already have an line, just add separated with a comma.

If you want to run tor as a non-root user, and use a port lower than 1024 you can use kernel capabilities to allow to bind to ports lower than 1024:

# setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/tor

If you use the systemd service, it is also possible to use systemd to give the tor process the appropriate permissions. This has the benefit that permissions do not need to be reapplied after every tor upgrade:

Refer to superuser.com for further explanations.

If the tor daemon failed to start, then run the following command as root (or use sudo)

# tor

If you get the following error

May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.
May 23 00:27:24.624 [err] Reading config failed--see warnings above.

Then it means that the problem is with the User value, which likely means that one or more files or directories in your directory is not owned by tor. This can be determined by using the following find command:

# find /var/lib/tor/ '!' -user tor

Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:

# chown tor:tor /var/lib/tor/filename

Or to change everything listed by the above find example, modify the command to this:

# chown -R -v tor:tor /var/lib/tor

Tor should now start up correctly.

Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the /etc/tor/torrc file:

User tor

Now edit tor.service as follows

[Service]
User=root
Group=root
Type=simple

The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:

# chown -R tor:tor /var/lib/tor/
# chmod -R 700 /var/lib/tor

Now do a daemon-reload then start tor.service.

should generally work without significant customization. If previously installed/configured and bundled proxy fails with  for any website, consider resetting settings by moving or deleting  directory.

If using AppArmor, update the torbrowser profile to allow access to required resources , :