From Mageia wiki
(Redirected from The Onion Router)
Jump to: navigation, search


Drakconf multiflag.png
 Other languages
English ; français ;
Synopsis:
The Onion Router, Tor, anonymises users by running internet traffic encrypted through intermediate relays.

In short

What: The network of Tor relays hides from network operators where users are browsing. There are mechanisms to work around blockage. There also exist sites only accessible using this network.

Users: To conveniently achieve good anonymity and getting past censoring/blockage when browsing, run Tor Browser. To send and receive files, host websites, and chat with friends, OnionShare can be used. There conveniently exist specialised Linux systems with these programs installed that can be run from USB stick.

Supporters: Easiest and safest way to support users is to run the Snowflake Firefox addon. More powerful and also safe, but more work, is to run a bridge or Snowflake proxy - They are not listed anywhere, so are harder to block. Also helping a lot is to run a Tor non-exit relay, but you may find you are getting blocked from a few services. Do not run Tor enabled as Exit relay unless well prepared - you WILL get problems.

How it works

The traffic between all Tor relays as well as from the users computer is encrypted, in several layers, hence the similarity with an onion which have given name to the technique.

In each hop a layer of encryption is removed. The last Tor relay sends and receives back traffic like if it would have been the actual user's computer. This is called the Exit relay.

There are three Tor relays between user and destination: Entry/Guard relay, Middle relay, Exit relay. The paths change frequently.

By default, your installed Tor will act as Entry/Guard relay and Middle relay. With local Entry connection as proxy for i.e Firefox.

DO NOT enable Exit functionality unless you are prepared to defend it, see To be a Tor relay below.

Nomenclature: A relay is sometimes called a node. A relay that is only Entry/Guard relay and Middle relay is often called a non-exit relay.

To circumvent blocking, users can use Snowflake or a bridge as a proxy, step-stone, to connect to first relay, see more below.

Note:
This is not top class secure communication, but suitable for average people. Search the internet for more information.

Resources

Wikipedia || Tor project || FSF || Support FAQ || Glossary || Tor forum

There are also several sites that explain it well, like this one and some Yotube videos.

To just use the Tor network

Note:
Easiest and most secure way to just browse, is to use the Tor Browser.

Tor + browser

Using a standard browser with a local tor used as proxy. This method also allows other applications connecting with tor network using that proxy. This requires no other software than Mageia have packaged. Do read Anonymity considerations!

  • Install our tor package.
  • Enable and start the tor systemctl services: Mageia Control Center Section System > Manage system services by enabling or disabling them, scroll down to tor, checkmark "On boot", and to start it now click "Start". There is no immediate response, exit with OK.
  • Firefox: In Firefox, in Settings, click on the Settings button under Network Settings (very end of the settings), then select "Manual proxy configuration". Enter "127.0.0.1" for the SOCKS Host and "9050" for the Port. Also check the box to proxy DNS when using SOCKS5.

Change the Firefox setting back to "no proxy" for normal web usage. There is no need to restart Firefox when changing between no proxy and SOCKS5 proxy.

Comment: for this usage, user need not be in the toruser group, and it is not needed to start tor-master.service.

Warning!
Some sites will block you for just running Tor. To be completed... Do it really trig blocking in this scenario without forwarded port? Is this true for Tor Browser too?

Tor Browser

Recommended.

Tor Browser (also called "tbb") is a Firefox ESR based hardened browser with Tor built-in, and can be configured to use proxies like Snowflake, or bridges.

It comes with HTTPS Everywhere, NoScript, and other patches to protect your privacy and security.

Wikipedia || Manual || Download

Mageia do not have tbb packaged, but you can Install using Flatpak if you do not prefer (or are blocked from using) the direct download.

Tor Browser must be kept updated, or you may be vulnerable to serious security flaws that compromise your privacy and anonymity. Tor Browser will prompt you to update. Normally Tor Browser is launched via a start script that checks for and updates automatically.

Alternatives

Booting a separate system. Some can be but on a USB stick and carried along, some with encrypted storage included.

Wikipedia article on Security-focused OS

On Mageia install IsoDumper, and use it to put the .img or .iso files for the chosen system below on your USB stick.

Mageia based

  • Based on Mageia: A replacement Tor+browser docker image, live Mageia with security, and other tricks see mga#29998
  • Use the usual Mageia Live ISO, and when writing it to disk using IsoDumper, enable persistence. Boot it, update it, and i.e install Tor Browser and OnionShare via flatpak as described elsewhere on this page.

Tails

Tails is compact and can run directly from USB stick. Much preinstalled, and it is easy to set up encrypted persistent storage on the stick: Menu Applications > System Tools > Configure Persistent volume. Download & Instructions Apps preinstalled: Tor Browser, OnionShare, Thunderbird, Pidgin, KeepassSX, LibreOffice...

Parrot OS

Parrot OS can run directly from USB stick. Great look! Apps preinstalled: Firefox, Tor Browser, OnionShare, ... Selecting to launch Tor Browser downloads it, which may take time on slow connection, you may instead use Firefox and first start Tor: Menu Applications > Privacy > AnonSurf GUI. To be completed... It is supposed to handle persistence (encrypted and not) storage, but it is convoluted and I could not get it to work. (Used Mageia diskdrake to add a ext4 partition on the USB stick and labelled it "persistence", and selected persistence at boot, did not work. Also tried with encryption selected at partitioning stage and at boot, failed decrypt.

Qubes OS

Qubes OS need to be conventionally installed.

Whonix

Whonix need to be run under a host system / virtualiser, such as VirtualBox in Mageia. Install VirtualBox per Mageia method, and for the rest of the install, follow this. There are two virtual machines, one act as the gateway. Documentation Apps preinstalled: Tor Browser, Hexchat, ... not OnionShare.

Onion services

Using Tor network, you can access any .onion site. - Note that .onion sites are not accessible without Tor.

Onion Services allow people to browse and also to publish anonymously, including publishing anonymous websites. Onion services are also relied on for metadata-free chat and file sharing, safer interaction between journalists and their sources like with SecureDrop or OnionShare, safer software updates, and more secure ways to reach popular websites, like:

News: BBC news || The Guardian || NYTimes || ProPublica - Investigative journalism.

Social network: Twitter || Facebook

Email: ProtonMail

File sharing: MEGA Tor filesharing || ZeroBin share snippets of text or code.

Good to know: SecureDrop is used by many organisations (i.e newspapers) to receive documents (i.e from whistleblowers).

(Please add more news sites or other very useful sites) i.e I could not yet find .onion site of regime censored news sites such as Russian Meduza

Dragon-head.png Here be dragons!
onion sites and Darknet in general, can host some horrifying content.

OnionShare

OnionShare lets you securely and anonymously send and receive files, host websites, and chat with friends using the Tor network. More details see Manual. It by default use a built-in tor, but can use a separate local Tor or bridge - click the onion icon down right. On Mageia you can Install using Flatpak. Remember to keep it updated.

Circumventing censoring and blocking

Tor Browser can be set to use Snowflake or Bridges as a step-stone to Tor network. Thus users do not connect to the known addresses of relays, making connections harder to block.

If one of the suggested options do not work, check your Tor logs and try another option. Logs: Hamburger menu ("≡"), "Preferences", section "Tor". At the bottom right of the page, button "View Logs...".

China

https://support.torproject.org/censorship/connecting-from-china/:

  1. Get an updated version of Tor Browser: send an email to gettor@torproject.org with the subject "windows zh-cn" or other operating system (linux or macos).
  2. Obtain a bridge that works in China. Either of
    1. In Tor Browser, set it to use Snowflake
    2. Private and unlisted obfs4 bridges: contact Telegram Bot @GetBridgesBot and type /bridges. Or send an email to frontdesk@torproject.org with the phrase "private bridge" in the subject.
    3. meek-azure: makes it look like you are browsing a Microsoft website instead of using Tor. Because it has a bandwidth limitation, this option will be quite slow. You can select meek-azure from Tor Browser's built-in bridges dropdown.

Russia

TOR traffic is detected by DPI systems already at the provider level (each provider has such a system on its site and they are all managed centrally), but so far TOR is not blocked. Connecting using snowflake or bridge seem to be a problem, but try.

Meduza - Digital darkness || How to circumvent censorship || Another

Other countries

To be completed...

Websites blocking

Some websites block Tor users.

Anonymity considerations

User behaviour is important!

Use HTTPS versions of websites. Use safe bridges. Do not torrent, do not enable browser plugins, do not open files downloaded through Tor while online (you may have been tricked to download an application or document with code/link that make your computer send some revealing information). You cannot provide your real name or other revealing information in web forums over Tor and stay anonymous. See if the site you want to access have a .onion site or service and prefer that.

EFF: Surveillance self-defence || https://securityinabox.org/

In Tor Browser you can conveniently set Levels of security.

If you are in a country where Tor is blocked, in Tor Browser settings there is a Tor section: about:preferences#tor, where you can set to connect using bridge (including snowflake), proxy...

If you do not want Tor Browser installed, it can be on USB stick, or even the whole operating system.

Using Bridges

From Tor project bridges manual:

Most Pluggable Transports, such as obfs4, rely on the use of "bridge" relays. Like ordinary Tor relays, bridges are run by volunteers; unlike ordinary relays, however, they are not listed publicly, so an adversary cannot identify them easily.

Using bridges in combination with pluggable transports helps to conceal the fact that you are using Tor, but may slow down the connection compared to using ordinary Tor relays.

Problems connecting

If not because of censoring, one of the most common reasons Tor won't connect is an incorrect system clock.

Install using Flatpak

Not for Tor, but for Tor Browser and for OnionShare: Mageia do not have them packaged, but they can conveniently be installed using Flatpak - See our main page on Flatpak.

In short: First install Mageia package flatpak, and then open a terminal and as normal user issue:

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo flatpak install torbrowser flatpak install onionshare

You then find them in Mageia launch menu: Internet > more

The torbrowser flatpak is a downloader; On first launch it downloads Tor Browser. To be completed...: I guess it also takes care of updating at later launch.

Snowflake

Snowflake acts as a proxy for censored users to reach a Tor bridge.

Note:
This is for you who can not run a Tor relay or bridge, but who want to help the network, especially people in censored areas of the world. - Should not be used by you who use the network for anonymisation.

Snowflake avoids the risk of getting yourself (your IP address) blocked from sites and services. Total network capacity is limited by the broker and bridge(s) to Tor that Snowflakes talk to. Anyway, more Snowflake nodes mean better anonymisation.

For an observer, Snowflake looks like a webrtc client, like any video-conference service. But if they are looking for Snowflake proxies specifically, they can look who is opening connections to the Snowflake broker or the bridge and assume that those are proxies.

It can easily be run as a Firefox addon.

Snowflake can also be run separately as Docker image, or compile.

Snowflake do not need Tor installed on your system.

To be a Tor relay

To help the Tor network, please become a relay - More relays mean both better anonymity and better throughput.

To be a working relay you need your Tor instance to be accessible from the internet. See below for how to achieve that, and have corresponding set-up in the Tor configuration file.

Warning: As mentioned, do not activate Exit functionality unless you are fine with your used IP address get listed in blacklists, AND you risk being accused of illicit activity. Prepare to respond - see links below.

Warning!
Some sites will block you for just running a Tor relay even when not being an Exit.

The default configuration as well as the example configuration below enables Entry/Guard relay and Middle relay functionality. Initially your Tor will only be trusted as a middle relay, but in a day or so it may be utilised as Guard too.

Traffic is low in the beginning, but during several hours it increase slowly and is not high until days when your relay have proved to have capacity, and when being trusted as Guard relay.

To not load your connection too much, you can configure top bandwidth, max average bandwidth, and amount per month.

Thousands of connections are normal. This may pose a problem for low end LAN routers, some even crash or need restart. Also some ISP limit number of connections. If you are in this situation, consider to instead of a relay, run a standalone Snowflake proxy or a bridge, see below.

CPU and RAM usage example in my case for 3MB/s: tor <20% of one 3,4GHz old i7 CPU core, ksgrd_network_helper about 60%, both total <500MB RAM.

Recommended: Relay operator FAQ

Also see: Relay || Setup guide || Metrics || See your relay || See your IP address

Abuse - be especially prepared if running an exit relay: Abuse expectations || Legal FAQ || Abuse complaint reply templates

Running Exit relay: Tips || Setup Exit relay || What to exit || Firewall

Other functions

For someone to continue documenting

Run a Bridge

Bridges are entry points that can be used by users in censored areas to reach the Tor network. Used by #Snowflake and #Tor Browser if configured there.

To be completed... How to set up on Mageia

Mageia do not have obfs4proxy packaged. Maybe build yourself (including some tips and tricks) and also see instruction for Fedora packages maybe that package works on Mageia. Mageia have Docker, so maybe easiest is to run a Docker bridge image. Set up a Bridge || Stackexchange || DEV || Test if your bridge is reachable! || Post install

Run a Snowflake proxy

The big brother of Snowflake addon

To be completed... How to set up on Mageia - Maybe use Docker

https://www.ictshore.com/data-center/how-to-use-docker/ https://forums.mageia.org/en/viewtopic.php?t=14022#p83344 https://bugs.mageia.org/show_bug.cgi?id=27251#c29 https://duckduckgo.com/?q=how+to+use+docker

Run Onion services

To be completed... How to set up on Mageia

Onion services || overview

Internet connection

In the following I use port 9001 for ORPort as that is the default in the configuration files. You may configure and use other ports. What alternative ports can be used is beyond the scope of this page.

  • In Mageia firewall open the port for tcp. Mageia Control Center Section Security > Set up your personal firewall, Click "Advanced", add in the text field: 9001/tcp .
  • In the LAN router: forward same port to the system where you will run Tor.
  • If you do not have a fixed IP it is good to use a name that dynamically points to your IP address. Often the router manufacturer have such a service. In my case it was possible to administer it in my router's configuration app, I have something.tplinkdns.com. Use this in the configuration file. Alternatively leave the Address config line blank and tor will figure it out.
  • Alternatively, or also, you should have public IP. That means your modem reports to your LAN router the same IP that is seen as yours on the internet. To save on IPv4 addresses, that is often not always the case nowadays. In my case I just asked my ISP and they arranged it with no cost.
  • IPv6: Newer Tor versions expect IPv6, and complain in log if that fail. Therefore configuration file example below disable IPv6 as most small office and home users don't get IPv6 from their internet provider. To enable Tor to use IPv6, edit the configuration, but first test http://test-ipv6.com/ after enabling IPv6 it in your LAN router and Mageia firewall. Details are out of scope of this wiki page.

Deprecated: DirPort was used for earlier tor versions when being Exit relay. Also self-tests are no longer shown in logs. Tor #40282.

Install

  • Install packages tor and nyx from Mageia repository. Nyx is a command line mode text based monitor. After install, see tor Change log and more in /usr/share/doc/tor.
  • Add your normal Mageia user to the group toruser. Mageia Control Center Section System > Manage users on system, double-click your user, select tab "Groups", and checkmark "toruser". You may later need to log out/in or reboot for this to take effect.
  • Start tor, and set it to start at boot. (see To just use the Tor network ) Note: tor-master.service will be started regardless, just tor need to be started/restarted/stopped manually, and set to start at boot.

Check log

Check that it do not complain of something important and that it reports that ORPort is reachable from the outside.

Start nyx in a terminal. It displays graphs of bandwidth in and out, and recent part of log. For yet unknown reason it need be started as root even when user is in toruser group.

You can also open the log and debug files if configured, see the Tor configuration file.

Check IP address blacklisting

Just detecting Tor

List of all TOR nodes - this seem to update quickly. Same but only Exit relays. - And I got off that one automatically (dont know how fast, checked after less than a week).

https://openinternet.io/ Have list of Relays and Exit nodes. Node list do not include Exit. Includes IPv6 addresses. Updated every 10 minutes. Input from directory authorities and from torproject torbulkexitlist. This script (click to execute) sets window._isTor to true if the remote IP address is a Tor exit by openinternet.io list. Shit happens: I was on torbulkexitlist two weeks after I shut down exit functions, but after a note to sysop they restarted something and that got fixed.

https://ipinfo.io/ tells tor:true or tor:false. True mean tor exit. "Updating within 24-48 hours."

See if an IP address was running Tor a given date, result per hour, but only up to two days ago.

Blacklisting by bad activity

Hands on minor experience: I tried Exit mode (with ReducedExitPolicy set) a day, and then some services like a bank did blocked me from using it...

There are criminals too using the Tor network, and their traffic may exit your Exit relay so it looks like you do the criminal activity. This may lead to your IP being blacklisted, but also your accounts on various sites being locked, and you risk prosecution from someone else's crimes. More on this in other places of this page.

For some services to block your IP address, it is enough just being an Exit relay.

I have read some users think they got limited somehow (maybe only throttling by ISP) even when not being an exit relay, but that may be due to the high number of tcp connections required.

There are a lot of different IP blacklists, and several sites that each lists most of them. Here are some:

https://whatismyipaddress.com/blacklist-check || https://ip-check.net/check-blacklist.php || https://www.ipvoid.com/ip-blacklist-check || https://www.ip-tracker.org

A summing list: ipsum - 24h update cycle - listed in the ipvoid list. By experiment it include torproject's torbulkexitlist directly or indirecly.

A kind of total ipqualityscore

Regarding email spamming: https://www.uceprotect.net/en/rblcheck.php

As an example, I got listed at all.sh5.net, but it was trivial to fix: https://whatismyipaddress.com/s5h

Other listings are harder to get de-listed from. Most listings automatically removes addresses if there is no more bad reports for a week or so.

Then it takes normally hours, maybe a day, until sites have re-checked the lists.

https://matrix.spfbl.net/ say my address is flagged because it is dynamic or by suspect to be domestic use only. I got recommendation not to care about that.

Configuration files

More information is in the unedited /etc/tor/torrc, and also see upstream documentation.

After saving your edits, you need to restart Tor for settings to take effect: sudo systemctl restart tor

/usr/share/tor/defaults-torrc

Not edited, comes with the package:

DataDirectory /var/lib/tor DataDirectoryGroupReadable 1 User toruser Log notice syslog

/etc/tor/torrc

I edited mine to this (address details obfuscated):

# ! Also in use: /usr/share/tor/defaults-torrc # Information: https://wiki.mageia.org/en/The_Onion_Router #### Connection to a control panel, i.e Nyx ControlPort 9051 ControlSocket /run/tor/control CookieAuthentication 1 CookieAuthFile /run/tor/control.authcookie CookieAuthFileGroupReadable 1 #### Local use of the network, i.e Firefox #SOCKSPort 0 # defaults to port 9050. Uncommented and set to 0 inhibit local use. #### Logging to files Log notice file /var/log/tor/notices.log # Log debug file /var/log/tor/debug.log # Extensive. Only log when needed and do delete afterwards! RunAsDaemon 1 DataDirectory /var/lib/tor MaxMemInQueues 1GB # If omitted, it for me set it to several gigabytes automatically, reported in log. # In my use case, relaying 2MB/s on 250/250mbit/s fibre it use about 700 megabyte. It logs if it need more. RelayBandwidthRate 15 MBytes # Mbytes per second RelayBandwidthBurst 30 MBytes # Lower than physical max uplink or downlink #### Ports to use, and IPv6 or not - correspond to LAN router forwards & IPv6, Mageia firewall, provider IPv6 capability # If you can and want to use IPv6, remove "IPv4Only" after ports, and comment line AddressDisableIPv6 AddressDisableIPv6 1 ORPort 9001 IPv4Only #### Exit Relay functionality. https://community.torproject.org/relay/setup/exit/ #ExitRelay 1 # WARNING: enabling exit will make your IP emit harmful traffic that will get your IP blacklisted. #ReducedExitPolicy 1 # Limits what is exited. I got banned anyway. Detailed settings possible, see doc and example https://tornull.org/tor-reduced-reduced-exit-policy.php #IPv6Exit 1 # If you have working IPv6; IPv6 Exits are valuable #DirPort 9030 IPv4Only # *Deprecated!* only needed for Exit using elder tor versions https://gitlab.torproject.org/tpo/core/tor/-/issues/40282 #DirPortFrontPage /etc/tor/tor-exit-notice.html # Tell this is a Tor exit relay. Web search "tor-exit-notice.html", i.e https://www.giters.com/SukkaW/tor-exit-page #### Edit the following to your addresses Address working.address.com # Dynamic DNS can often be provided by LAN router or its manufacturer's service. Or use fixed IP. For Dynamic IP, leave the "Address" line blank, and Tor will guess. Nickname myveryuniquerelayname # Invent a readable and unique name ContactInfo name <address AT somewhere dot com> # How to contact you if someone see a problem, i.e with exit traffic, a Tor admin mailed me about I use a too old version
Retrieved from "https://wiki.mageia.org/mw-en/index.php?title=Tor,_The_Onion_Router&oldid=57203"