Arch linux tor browser

Arch Linux User Repository

Search Criteria

Package Details: tor-browser 10.5.8-1

Package Actions

Git Clone URL:	https://aur.archlinux.org/tor-browser.git (read-only, click to copy)
Package Base:	tor-browser
Description:	Tor Browser Bundle: anonymous browsing using Firefox and Tor (international PKGBUILD)
Upstream URL:	https://www.torproject.org/projects/torbrowser.html
Keywords:	Anonymity Browser Internet Network Tor
Licenses:	GPL
Submitter:	grufo
Maintainer:	grufo (jugs)
Last Packager:	jugs
Votes:	1157
Popularity:	4.67
First Submitted:	2017-03-23 12:24
Last Updated:	2021-10-06 17:50

Dependencies (19)

• alsa-lib (alsa-lib-x205ta, alsa-lib-git, alsa-lib-minimal-git)
• dbus-glib (dbus-glib-git)
• desktop-file-utils (desktop-file-utils-git)
• hicolor-icon-theme (hicolor-icon-theme-git)
• hunspell (hunspell-git)
• icu (icu-git-static, icu-git)
• libevent (libevent-git, libevent-fb)
• libvpx (libvpx-1.6, libvpx-full-git, libvpx-1.7, libvpx-git)
• libxt
• mime-types (mailcap-mime-types, mailcap)
• nss (nss-hg)
• sqlite (sqlite-replication, sqlite-minimal-git, sqlite-fts3-parenthesis, sqlite-fossil)
• startup-notification (startup-notification-git)
• gst-libav (gst-libav-git) (optional) – H.264 video
• gst-plugins-good (gst-plugins-good-git) (optional) – H.264 video
• kdialog (kdialog-git) (optional) – KDE dialog boxes
• libnotify (libnotify-gtk2, libnotify-id-git, libnotify-id) (optional) – Gnome dialog boxes
• libpulse (libpulse-bluedio, pulseaudio-pali, pulseaudio-dummy, libpulse-nosystemd-git, libpulse-nosystemd, pulseaudio-git, libpulse-nosystemd-minimal-git, libpulse-hsphfpd, libpulse-airplay) (optional) – PulseAudio audio driver
• zenity (zenity-git, zenity-light, zenity-gtk2, qarma-git) (optional) – simple dialog boxes

Required by (0)

Sources (8)

Pinned Comments

grufo commented on 2019-08-15 02:22

Before running makepkg , you must do this (as normal user):

$ gpg —auto-key-locate nodefault,wkd —locate-keys torbrowser@torproject.org

If you want to update tor-browser from AUR without AUR helpers you can run in a terminal:

Latest Comments

grufo commented on 2021-09-10 18:32

@aminvakil Fair point.

aminvakil commented on 2021-09-10 11:36

bash is part of base . Mentioning it explicitly in depends is unnecessary imho.

whynothugo commented on 2021-09-09 09:17

/.local/opt/tor-browser is fine by me.

It’s not completely standard, but I’ve also seen it around, and is basically a «per-user /opt».

Using .cache is also valid IMHO, and this case is slightly outside of what any spec or standard has explicitly considered.

/.local/opt is that there’s no way to override it, whereas .cache is actually $XDG_CACHE_HOME .

.config is a bad choice though; that’s a directory that’ll frequently get backed up (or even versioned by many), and dumping all of the browser’s runtime in there sounds problematic.

grufo commented on 2021-09-08 18:07

I don’t think it was a great idea to create opt/ inside .local since it is not a standard location

This is the old debate about the

/.local/bin standard? The XDG mentions it («User-specific executable files may be stored in $HOME/.local/bin «).

/.local/lib ? The XDG does not mention it, but it is the natural result of installing a library instead of a program locally via ./configure —prefix=»$HOME/.local» && make && make install – the same command that would install a program under the

/.local/bin path mentioned by the XDG.

For me this package’s natural path is

/.local/opt : it satisfies the requirements for opt (it is completely self-contained in one single directory) and it satisfies the requirements for

/.local (it is a user installation).

But given the huge user base of this package, I would say that the debate has just started.

Application creates their folders in

Technically we do create our folder under .local .

class101 commented on 2021-09-08 17:47

I don’t think it was a great idea to create opt/ inside .local since it is not a standard location, only you will use the redondant opt folder

In my opinion it is not necessary to reinvent the wheel as Steam does so badly.

Application creates their folders in

.local .config .cache

grufo commented on 2021-09-08 17:39

That is a very good idea. I moved the user copy of Tor Browser from

whynothugo commented on 2021-09-08 10:19

Is it possible to use some other directory instead of

/.tor-browser ? I’d like to move this out of the way to somewhere like

whynothugo commented on 2021-08-19 22:15

any is not correct for this package, as that implies that the same package runs on all architecture. That’s not the case for this, as it includes native binaries.

tallero commented on 2021-08-19 21:10

Can you switch arch to any (or add pentium4)?

eora commented on 2021-08-17 18:04

Any ideas why does yay freezes after :: (1/1) Parsing SRCINFO: tor-browser ? makepkg freezes w/o any log.

UPD: It happens if TOR is banned in your country. If you experience the same issue use VPN.

Copyright © 2004-2021 aurweb Development Team.

AUR packages are user produced content. Any use of the provided files is at your own risk.

Источник

Arch linux tor browser

The Tor Project (The onion routing) is an open source implementation of onion routing that provides free access to an anonymous proxy network. Its primary goal is to enable online anonymity by protecting against traffic analysis attacks.

Users of the Tor network run an onion proxy software on their machines, which presents a SOCKS interface to its clients. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the ‘onion’ analogy), ensuring forward secrecy between routers.

Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network). See Wikipedia:Tor (anonymity network) for more information.

Contents

Installation

Usually, it will be used for #Web browsing.

Nyx is a command line monitor for Tor, it provides bandwidth usage, connection details and on-the-fly configuration editing. To use it, install the nyx package.

Usage

Start/enable tor.service . Alternatively, launch it with sudo -u tor /usr/bin/tor .

To use a program over Tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 for plain Tor with standard settings.

The proxy supports remote DNS resolution: use socks5h://localhost:9050 for DNS resolution from the exit node (instead of socks5 for a local DNS resolution).

To check if Tor is functioning properly, visit https://check.torproject.org/ or https://torcheck.xenobite.eu/ websites.

Configuration

Tor reads its configurations from the file /etc/tor/torrc by default, or if the latter is not found, from $HOME/.torrc . The configuration options are explained in tor(1) and the Tor website. The default configuration should work fine for most Tor users.

To reload the configuration after a change, reload tor.service .

Relay Configuration

The maximum file descriptor number that can be opened by Tor can be set with LimitNOFILE in tor.service . Fast relays may want to increase this value.

If your computer is not running a webserver, and you have not set AccountingMax , consider changing your ORPort to 443 and/or your DirPort to 80 . Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443 , other useful ports are 22 , 110 , 143 and 9001 .[1] Ports below 1024 are privileged ports, so to use those Tor must be run as root, by setting User=root in tor.service and User tor in torrc .

You may wish to review Lifecycle of a New Relay Tor documentation.

Open Tor ControlPort

Most users will not need this. But some programs will ask you to open your Tor ControlPort so they get low-level access to your Tor node.

Via the ControlPort, other apps can change and monitor your Tor node, to modify your Tor config while Tor is running, or to get details about Tor network status and Tor circuits.

append to your torrc file

quote from Tor’s control-spec.txt: ‘For security, the [Tor control] stream should not be accessible by untrusted parties.’

So, for more security, we will restrict access to the ControlPort, either with a cookie file, or a control password, or both.

Set a Tor Control cookie file

To your torrc add

With cookie auth, access to your ControlPort is restricted by file permissions to your Tor cookie file, and to your Tor data directory.

With the config above, all users in the tor group have access to your Tor cookie file.

Add user to the tor group

. and as user, reload group settings

Now user should have access to your Tor cookie file.

should print 750 and 640 .

Set a Tor Control password

Convert your password from plain-text to hash

and add that hash to your torrc

the bash history commands prevent your clear-text password from being written to your bash $HISTFILE

Open Tor ControlSocket

If some program needs access to your Tor ControlSocket, as in Unix Domain Socket, add the following to your torrc :

Add the user who will run the program to the tor group:

Reload the group settings:

and relaunch the program.

To verify the status of the control sockets:

should print 750 and 660

Test your Tor Control

To test your ControlPort, run gnu-netcat with

To test your ControlSocket, run socat with

both commands should print

See Tor’s control-spec.txt for more commands.

Running Tor in a Chroot

For security purposes, it may be desirable to run Tor in a chroot. The following script will create an appropriate chroot in /opt/torchroot :

After running the script as root, Tor can be launched in the chroot with the command:

or, if you use systemd, overload the service:

Running Tor in a systemd-nspawn container with a virtual network interface

In this example we will create a systemd-nspawn container named tor-exit with a virtual macvlan network interface.

See systemd-nspawn and systemd-networkd for full documentation.

Host installation and configuration

In this example the container will reside in /srv/container :

Create directory if it does not exist:

Symlink to register the container on the host, as per systemd-nspawn#Management:

Virtual network interface

Create a drop-in configuration file for the container:

MACVLAN=interface creates a «macvlan» interface named mv-interface and assigns it to the container, see systemd-nspawn#Use a «macvlan» or «ipvlan» interface for details. This is advisable for security as it will allow you to give a private IP to the container, and it will not know what your machine’s IP is. This can help obscure DNS requests.

Set up systemd-networkd according to your network in /srv/container/tor-exit/etc/systemd/network/mv-interface.network .

Start and enable systemd-nspawn

Container configuration

Start and enable systemd-networkd

Start and enable systemd-networkd.service . networkctl displays if systemd-networkd is correctly configured.

Configure Tor

Web browsing

The only way to browse anonymously is with the supported Tor Browser Bundle, which uses a patched version of Firefox. It can be installed with the torbrowser-launcher package or the tor-browser AUR package.

Tor can also be used with regular browsers: see #Firefox or #Chromium to run these browsers through the Tor network. Note this is not an anonymous way to browse even in «private browsing» mode: fingerprinting, plugins, DNS leak and other shortcomings may reveal your IP address or identity. [2]

Firefox

In Preferences > General > Network Settings > Settings. , select Manual proxy configuration and enter SOCKS host localhost with port 9050 (SOCKS v5). To channel all DNS requests through TOR’s socks proxy, also select Proxy DNS when using SOCKS v5.

Chromium

You can simply run:

The —proxy-server=»socks5://myproxy:8080″ flag tells Chrome to send all http:// and https:// URL requests through the SOCKS proxy server «myproxy:8080» , using version 5 of the SOCKS protocol. The hostname for these URLs will be resolved by the proxy server, and not locally by Chrome.

The —proxy-server flag applies to URL loads only. There are other components of Chrome which may issue DNS resolves directly and hence bypass this proxy server. The most notable such component is the «DNS prefetcher». Hence if DNS prefetching is not disabled in Chrome then you will still see local DNS requests being issued by Chrome despite having specified a SOCKS v5 proxy server. Disabling DNS prefetching would solve this problem, however it is a fragile solution since one needs to be aware of all the areas in Chrome which issue raw DNS requests. To address this, the next flag, —host-resolver-rules=»MAP *

NOTFOUND , EXCLUDE myproxy» , is a catch-all to prevent Chrome from sending any DNS requests over the network. It says that all DNS resolves are to be simply mapped to the (invalid) address

NOTFOUND (think of it as 0.0.0.0 ). The «EXCLUDE» clause make an exception for «myproxy» , because otherwise Chrome would be unable to resolve the address of the SOCKS proxy server itself, and all requests would necessarily fail with PROXY_CONNECTION_FAILED .

To prevent the WebRTC leak you can install the extension WebRTC Network Limiter.

Debug

The first thing to check when debugging is look at the Proxy tab on about:net-internals, and verify what the effective proxy settings are: chrome://net-internals/#proxy

Next, take a look at the DNS tab of about:net-internals to make sure Chrome is not issuing local DNS resolves: chrome://net-internals/#dns

Extension

Just as with Firefox, you can setup a fast switch for example through Proxy SwitchySharp.

Once installed enter in its configuration page. Under the tab Proxy Profiles add a new profile Tor, if ticked untick the option Use the same proxy server for all protocols, then add localhost as SOCKS Host, 9050 to the respective port and select SOCKS v5.

Optionally you can enable the quick switch under the General tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp’s icon.

Luakit

You can simply run:

HTTP proxy

Tor offers a builtin tunneled HTTP proxy and can also be used with an HTTP proxy like Privoxy, however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.

Add following line to your torrc file to set port 8118 on your localhost as http proxy:

Refer to tor manual for further information.

Firefox

The FoxyProxy add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port 8118 on localhost , which is where Polipo or Privoxy are running. These settings can be access under Add > Standard proxy type. Select a proxy label (e.g Tor) and enter the port and host into the HTTP Proxy and SSL Proxy fields. To check if Tor is functioning properly visit the Tor Check website and toggle Tor.

Polipo

The Tor Project has created a custom Polipo configuration file to prevent potential problems with Polipo as well to provide better anonymity.

Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use Chromium with Tor, you do not need the Polipo package (see: #Chromium).

Privoxy

You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. 127.0.0.1:8118 ). To use SOCKS proxy directly, you can point your application at Tor (i.e. 127.0.0.1:9050 ). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.

Instant messaging

In order to use an IM client with tor, we do not need an http proxy like polipo/privoxy. We will be using tor’s daemon directly which listens to port 9050 by default.

Pidgin

You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to Accounts > Manage Accounts, select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:

Note that some time in 2013 the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a «Connection refused» message.

Irssi

This article or section is out of date.

Libera Chat recommends connecting to .onion directly. It also requires SASL to identify to NickServ during connection; see Irssi#Authenticating with SASL. Start irssi:

Set your identification to nickserv, which will be read when connecting. Supported mechanisms are ECDSA-NIST256P-CHALLENGE (see ecdsatool) and PLAIN. DH-BLOWFISH is not supported.

Disable CTCP and DCC and set a different hostname to prevent information disclosure: [4] [dead link 2021-05-17 ⓘ]

Connect to Libera Chat:

Pacman

Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network.

• Attackers that can monitor your Internet connection and that specifically targets your machine cannot watch the updates anymore and, because of that, they cannot deduce the packages you have installed, how up to date they are, when or how frequently you update them. An attacker can still learn what software and the versions you use by other means, for instance watching the packets from your http server or probing the machine will show that you have an http server installed and its version.
• If the mirror is not an onion, a malicious exit nodes you are going through can watch the updates, and may decide to attack you, however they probably cannot know who they are attacking.
• Attackers trying to make your machine believe that there are no new updates to prevent it from getting security fixes will have a harder time doing it since they cannot target your machine specifically.

• Longer update times due to longer latency and lower throughput. This can be a big security risk if/when the updates needs to be done as fast as possible, especially on machines directly connected to the Internet. That is the case when there is a huge security flaw, and that the flaws are fast to probe, easy to exploit, and that attackers have already started targeting as many systems as they can before the systems are updated.

Reliability with Tor:

• You do not need a working DNS anymore.
• You depend on the Tor network and the exit nodes not blocking the updates.
• You depend on the Tor daemon to work properly. The Tor daemon may not work if there is no more disk space available to it. «Reserved blocks gid:» in ext4, quotas, or other means can fix that.
• If you are in a country where Tor is blocked, or that there are almost or no Tor users at all, you should use bridges.

Note on gpg: On stock arch, pacman only trust keys which are either signed by you (that can be done with pacman-key —lsign-key ) or signed by 3 of 5 Arch master keys. If a malicious exit node replaces packages with ones signed by its key, pacman will not let the user install the package.

One can run ensure a java application proxies its connections through Tor by appending the following command line options:

Running a Tor server

The Tor network is reliant on people contributing bandwidth and setting up services. There are several ways to contribute to the network.

Running a Tor bridge

A Tor bridge is a Tor relay that is not listed in the public Tor directory, thus making it possible for people to connect to the Tor network when governments or ISPs block all public Tor relays. Visit https://bridges.torproject.org/ for more information and instructions on how to get bridge addresses.

To run a Tor bridge, make your torrc configuration file be just these four lines (also see Tor Project running a bridge):

Running a Tor relay

This means that your machine will act as an entry node or forwarding relay and, unlike a bridge, it will be listed in the public Tor directory. Your IP address will be publicly visible in the Tor directory but the relay will only forward to other relays or Tor exit nodes, not directly to the internet.

To run a Tor relay, add the following options to the torrc configuration file, you should at least share 20KiB/s:

Running a Tor exit node

Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read Tor Project — tips for running an exit node.

Configuration

Using the torrc, you can configure which services you wish to allow through your exit node. Allow all traffic:

Allow only irc ports 6660-6667 to exit from node:

By default, Tor will block certain ports. You can use the torrc to overide this.

+100Mbps Exit Relay configuration example

If you run a fast exit relay (+100Mbps) with ORPort 443 and DirPort 80 , the following configuration changes might serve as inspiration to setup Tor alongside iptables firewall, Haveged to increase system entropy and pdnsd as DNS cache. It is important to first read Configuring a Tor relay on Debian/Ubuntu.

Raise maximum number of open file descriptors

To handle more than 8192 connections LimitNOFILE can be raised to 32768 as per Tor FAQ.

To successfully raise nofile limit, you may also have to append the following:

Check if the nofile (filedescriptor) limit is successfully raised with sudo -u tor ‘ulimit -Hn’ as the root user or sudo -u tor bash and ulimit -Hn as the root user.

Start tor.service as root to bind Tor to privileged ports

To bind Tor to privileged ports the service must be started as root. Please specify User tor option in /etc/tor/torrc .

Tor configuration

To listen on Port 80 and 443 the service need to be started as root as described in #Start tor.service as root to bind Tor to privileged ports. Use the User tor option in /etc/tor/torrc to properly reduce Tor’s privileges.

This configuration is based on the Tor Manual.

Tor opens a socks proxy on port 9050 by default — even if you do not configure one. Set SOCKSPort 0 if you plan to run Tor only as a relay, and not make any local application connections yourself.

Log notice stdout changes logging to stdout, which is also the Tor default. ControlPort 9051 , CookieAuthentication 1 and DisableDebuggerAttachment 0 enables nyx to connect to Tor and display connections.

ORPort 443 and DirPort 80 lets Tor listen on port 443 and 80 and DirPortFrontPage displays the tor-exit-notice.html on port 80.

ExitPolicy reject XXX.XXX.XXX.XXX/XX:* should reflect your public IP and netmask, which can be obtained with the command ip addr , so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.

AvoidDiskWrites 1 reduces disk writes and wear on SSD. DisableAllSwap 1 «will attempt to lock all current and future memory pages, so that memory cannot be paged out».

If grep aes /proc/cpuinfo returns that your CPU supports AES instructions and lsmod | grep aes returns that the module is loaded, you can specify HardwareAccel 1 which tries «to use built-in (static) crypto hardware acceleration when available», see http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration.

ORPort 443 , DirPort 80 and DisableAllSwap 1 require that you start the Tor service as root as described in #Start tor.service as root to bind Tor to privileged ports. Use the User tor option to properly reduce Tor’s privileges.

If ControlPort 9051 and CookieAuthentication 1 is specified in /etc/tor/torrc , nyx can be started with sudo -u tor nyx . If you want to watch Tor connections in nyx DisableDebuggerAttachment 0 must also be specified.

If you want to run nyx as a different user than tor , read section #Set a Tor Control cookie file

iptables

Setup and learn to use iptables. Instead of being a Simple stateful firewall where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.

-A PREROUTING -j NOTRACK and -A OUTPUT -j NOTRACK disables connection tracking in the raw table.

:INPUT DROP [0:0] is the default INPUT target and drops input traffic we do not specifically ACCEPT .

:FORWARD DROP [0:0] is the default FORWARD target and only relevant if the host is a normal router, not when the host is an onion router.

:OUTPUT ACCEPT [0:0] is the default OUTPUT target and allows all outgoing connections.

-A INPUT -p tcp ! —syn -j ACCEPT allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.

-A INPUT -p udp -j ACCEPT allow all incoming UDP connections because we do not use connection tracking.

-A INPUT -p icmp -j ACCEPT allow ICMP.

-A INPUT -p tcp —dport 443 -j ACCEPT allow incoming connections to the ORPort .

-A INPUT -p tcp —dport 80 -j ACCEPT allow incoming connections to the DirPort .

-A INPUT -i lo -j ACCEPT allows all connections on the loopback interface.

Haveged

See Haveged to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see haveged — A simple entropy daemon and how-to-setup-additional-entropy-for-cloud-servers-using-haveged for documentation.

pdnsd

You can use pdnsd to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.

This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.

Uncensored DNS

If your local DNS recursor is in some way censored or interferes with DNS queries, see Alternative DNS services for alternatives and add them in a seperate server-section in /etc/pdnsd.conf as per Pdnsd#DNS servers.

Ensuring relay is working

First check that tor.service started correctly:

If there are no errors, one can run nyx to ensure your relay is making connections. Do not be concerned if your new relay is slow at first; this is normal. After approximately 3 hours, your relay should be published and searchable on Relay Search.

TorDNS

The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:

This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this Debian-based introduction.

DNS queries can also be performed through a command line interface by using tor-resolve For example:

Using TorDNS for all DNS queries

It is possible to configure your system, if so desired, to use TorDNS for all queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the DNSPort line in /etc/tor/torrc to show:

Alternatively, you can use a local caching DNS server, such as dnsmasq or pdnsd, which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up dnsmasq for this purpose. Note, if you are using NetworkManager you will need to add your configuration file to to the location outlined in NetworkManager#dnsmasq.

Change the tor setting to listen for the DNS request in port 9053 and install dnsmasq .

Modify its configuration file so that it contains:

These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit /etc/resolv.conf so that your system will query only the dnsmasq server.

Start the dnsmasq daemon.

Finally if you use dhcpcd you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:

If you already have an nohook line, just add resolv.conf separated with a comma.

Torsocks

torsocks will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:

torsocks is a wrapper between the torsocks library and the application in order to make every Internet communication go through the Tor network.

Transparent Torification

In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor’s socks port, not to mention preventing DNS leaks. Transparent torification can be done with iptables in such a way that all outbound packets are redirected through Tor’s TransPort, except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor’s SOCKSPort will still work. This also works for DNS via Tor’s DNSPort, but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [5]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use an amnesic solution like Tails instead. Applications can still learn your computer’s hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.

When a transparent proxy is used, it is possible to start a Tor session from the client as well as from the transparent proxy, creating a «Tor over Tor» scenario. Doing so produces undefined and potentially unsafe behavior. In theory, the user could get six hops instead of three in the Tor network. However, it is not guaranteed that the three additional hops received are different; the user could end up with the same hops, possibly in reverse or mixed order. The Tor Project opinion is that this is unsafe [6] [7]

To enable transparent torification, use the following file for iptables-restore and ip6tables-restore (internally used by systemd’s iptables.service and ip6tables.service ).

This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.

• Now using —ipv6 and —ipv4 for protocol specific changes. iptables-restore and ip6tables-restore can now use the same file.
• Where —ipv6 or —ipv4 is explicitly defined, ip*tables-restore will ignore the rule if it is not for the correct protocol.
• ip6tables does not support —reject-with . Make sure your torrc contains the following lines:

If you get this error: iptables-restore: unable to initialize table ‘nat’ , you have to load the appropriate kernel modules:

This file also works for ip6tables-restore, so you may symlink it:

Then make sure Tor is running, and start/enable the iptables and ip6tables systemd units.

You may want to add Requires=iptables.service and Requires=ip6tables.service to whatever systemd unit logs your user in (most likely a display manager), to prevent any user processes from being started before the firewall up. See systemd.

Tips and tricks

Kernel capabilities

If you want to run tor as a non-root user, and use a port lower than 1024 you can use kernel capabilities to allow /usr/bin/tor to bind to ports lower than 1024:

If you use the systemd service, it is also possible to use systemd to give the tor process the appropriate permissions. This has the benefit that permissions do not need to be reapplied after every tor upgrade:

Refer to superuser.com for further explanations.

Troubleshooting

Problem with user value

If the tor daemon failed to start, then run the following command as root (or use sudo)

If you get the following error

Then it means that the problem is with the User value, which likely means that one or more files or directories in your /var/lib/tor directory is not owned by tor. This can be determined by using the following find command:

Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:

Or to change everything listed by the above find example, modify the command to this:

Tor should now start up correctly.

Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the /etc/tor/torrc file:

Now modify the systemd’s tor service file /usr/lib/systemd/system/tor.service as follows

The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:

Now save changes:

tor-browser proxy problems

tor-browser AUR should generally work without significant customization. If previously installed/configured and bundled proxy fails with proxy server is refusing connections for any website, consider resetting settings by moving or deleting

tor-browser blank black screen

If using AppArmor, update the torbrowser profile to allow access to required resources [8], [9]:

Источник