The following is a blow-by-blow instructional for configuring network clients to use Tor proxies under UNIX. With two, simple proxy programs (connect and torsocks), network clients - such as ssh and irc - can be set-up for online anonymity. Also described will be commands for forwarding a local port to a remote port with ssh, so that a local network client can connect to the remote proxy.
However, the simplest means for protecting online anonymity and connecting to hidden websites is to download and install the Tor Browser Bundle (Firefox + Tor). With it, no external proxy app is required to surf the clear or the dark net.
Tor was designed to protect a user's anonymity, i.e. to conceal his (ISP assigned) IP address. When a Tor proxy is employed, a client's data is routed randomly through a maze of Tor nodes, operating world-wide.
Connecting to clearnet services (http, ssh, irc, etc.) via a Tor proxy will provide (greater) online anonymity - than connecting to them directly.
On a hidden slice of the internet, referred to as the "darknet" and "onionland", there're web and other services assigned the .onion pseudo TLD (Top Level Domain). These services can be accessed - by a Tor proxy. Client configurations for Tor proxies will be discussed - in some detail below.
N.B. In this guide, we'll build and install the software in the $HOME of a non-privileged user. Building in and running Tor under a non-privileged user's account enhances security and facilitates upgrades.
Alternatively - to install Tor system-wide (as root), use the package manager (or ports collection) of your operating system. Linux distros and *BSD variants provide pre-compiled, Tor binaries. These binaries are not upgraded - when the newest Tor release becomes public.
Download and unpack the sources for the standalone version of Tor, i.e. the Source Tarball. The latest, stable release is advised. torproject.org
$ cd ~/
$ wget https://www.torproject.org/dist/tor-0.2.X.X-rc.tar.gz
$ tar xzvf tor-0.2.X.X-rc.tar.gz
$ cd tor-0.2.X.X
Configure, compile and install Tor
With the configure option "--prefix="$HOME/tor", tor will be installed under your local, UNIX account. Verify that $HOME/bin exists and that it's in your PATH statement. Also, verify that libevent is installed.
$ ./configure --prefix="$HOME/tor" --exec-prefix="$HOME"
$ make
$ make install
Execute tor
$ ~/bin/tor
note
To initialize Tor at boot, add the following as a cronjob with "crontab -e".
@reboot $HOME/bin/tor
connect is a tiny program which functions well as a Socks 4a or a Socks 5 proxy client. Download the source for connect, extract, compile and copy it into $HOME/bin.
$ wget https://github.com/larryhou/connect-proxy/archive/refs/heads/master.zip
$ unzip master.zip
$ cd connect-proxy-master
$ gcc -o connect connect.c
$ cp connect ~/bin
Configure ssh
Open up ~/.ssh/config in a text editor. Add the following:
#Host 10.*
#ProxyCommand none
Host *
ProxyCommand connect -4 -S 127.0.0.1:9050 %h %p
Since Tor lives on port 9050 of 127.0.0.1 (localhost), we'll have ssh connect to it first (instead of directly to the remote address); thereby, proxying to the remote address with a Tor IP. If your computer is located on a LAN (private address spacing), uncomment the first two lines (and edit if necessary the IP wildcard). Connections to local IPs should not go through the Tor proxy.
Test ssh by logging into a remote host:
$ ssh user@somedomain.com
torsocks is a transparent socks5 proxy app - which permits client access to Tor proxies. The latest stable release is advised. Below, download, extract, configure, compile and install torsocks under a non-privileged user's account.
$ cd ~/
$ wget https://gitlab.torproject.org/tpo/core/torsocks/-/archive/main/torsocks-main.tar.gz
$ tar xzvf torsocks-1.X.tar.gz
$ cd torsocks-1.X
$ ./configure --prefix="$HOME/torsocks" --exec-prefix="$HOME" --libdir="$HOME/tor/lib"
$ make && make install
Network clients and torsocks
With the following command, netcat will check the online status of a darknet website:
$ usewithtor nc -v somehostxxxxxxxx.onion 80
The following command will yank the raw html from an onion site, then write it to a file:
$ echo -e "GET / HTTP/1.0\n\n" |usewithtor nc -v -i 3 somehostxxxxxxxx.onion 80 > somehostxxxxxxxx.onion.html
Anonymous port scanning
Arguably, nmap is the most widely employed port scanning device in history, but - in conjunction with Tor - unless the -sT switch is soley used, it spews GOBS of irritating libtorsocks errors - by connecting to UDP ports, making the anonymous scanning annoying. And - by default, nmap performs host discovery with ICMP packets - which could reveal an IP. (Since Tor can't handle ICMP packets, they could be routed to the clearnet.)
netcat (installed on most UNIX operating systems) scans hosts on both the clear and the darknet quickly, quietly and efficiently. By default, netcat does not connect to UDP ports. Examples for scanning darknet hosts follow:
$ usewithtor nc -v -z somehostxxxxxxxx.onion 1-100
-z = scan mode
1-100 = the port range to scan
somehostxxxxxxxx.onion = the host to scan
$ usewithtor nc -v -w 5 somehostxxxxxxxx.onion 1-100
-w = timeout for connects and final net reads
With the "-w" switch, you'll need to observe nc as it scans. If it hangs for 5 seconds then resumes, the port is open. So, it's best to use "-z" for scanning, unless there's a compelling reason for "-w" (e.g. to view the greeting message of a daemon). Finally - when scanning a clearnet site - as a precaution, use the IP rather than the hostname. tor-resolve, part of the Tor release, can perform that task - easily.
$ tor-resolve somedomain.com
www.xxx.yyy.zzz
$ usewithtor irc
With your package manager, install the venerable ircII client. Once ircII executes, type in an address of an onion irc server: "/server somehostxxxxxxxx.onion". You may use a different, text (or GUI) based app (than ircII) - as your choice of an irc client.
For irc clients which contain native, socks5 proxy support, xchat, Hexchat, weechat, etc., specify the 127.0.0.1 address and the port 9050 as the proxy server in the network configuration panel or in a control file. Type the address and port of an onion IRC server on the commandline: "/server somehostxxxxxxxx.onion 6667" to connect (via the proxy) to the onion irc server.
Some clearnet irc servers ban (i.e. k-line) those who connect via Tor proxies without SASL authentication. irc.freenode.net and irc.efnet.org are examples. It would be best to reserve "torified" IRC sessions for onion servers.
If a Tor instance is not running on your local machine (often a good idea), a local to a remote port can be forwarded with SSH, then the local port connected to with a network app - which will use the Tor proxy on the remote host. Below, we'll be using the Chrome browser - to demonstrate this (awkward to grasp) concept.
Suppose that the Tor host is located on your lan at the address of 10.0.0.2, and "user" has a shell on that box. Forward the 9050 port with SSH:
$ ssh -N -L 9050:localhost:9050 user@10.0.0.2
Chrome (and most web-browsers) support proxies natively, i.e. no external proxy app is required for them. To have Chrome use the remote Tor proxy (by connecting to a local address and port), open up it up in a terminal window with the following command:
$ google-chrome --proxy-server="socks5://localhost:9050" --host-resolver-rules="MAP * 0.0.0.0, EXCLUDE localhost" --no-referrers --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36"
note
The third part of the above chrome command ("--host-resolver-rules") prevents DNS queries from leaking-out on the clearnet - which could compromise a user's anonymity. The second to last ("--no-referrers") halts the browser from sending an HTTP_REFERER, which logs pick up and which could provide a clue - as to the identity of a computer. The last part of the command ("--user-agent") spoofs the browser as a Windows box running Chrome v27.0.