Changes

Page history
Raw import from Trac using Trac markup language. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
TorBrowserBundleSAQ.md 0 → 100644
View page @ 53a16e3a
This is a list of Seldomly Asked Questions pertaining to Tor Browser
= How do I make Tor Browser 7.x to 9.x (may work for later versions) use the tor that is already running on the system? =
See the section **Using a system-installed Tor process with Tor Browser** in the file `$TB_INST_DIR/Browser/start-tor-browser` where `$TB_INST_DIR` is your tor browser installation directory (e.g. `tor-browser_en-US`) for instructions. Alternatively, you can view them ​[https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/RelativeLink/start-tor-browser online] ([http://jqs44zhtxl2uo6gk.onion/builders/tor-browser-bundle.git/tree/RelativeLink/start-tor-browser onion]). Be careful, the online version is on the master branch, which may be too new for your tor browser. When in doubt, follow the one coming with your tor browser.
= How do I make Tor Browser 5.x use the tor that is already running on the system? =
== **WARNING** Using Tor Browser in this manner is **NOT OFFICIALLY SUPPORTED** ==
== Using a local Tor SOCKS daemon ==
First of all, find the group that the Tor process runs under.
On debian deriviatives, this will be 'debian-tor', on redhat/fedoracore this
will be '_tor', on arch linux 'tor'.
then run the command (as root):
{{{
usermod -a -G $GROUP $USER
}}}
where $GROUP is the group Tor runs under for your OS, and $USER is the user that will be running Tor Browser.
You will need to login again for the group change to be applied. Login again via:
{{{
su $USER
}}}
add or edit the following in your torrc
{{{
SocksPort 9050 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth
ControlPort 9051
CookieAuthentication 1
CookieAuthFile /var/run/tor/control.authcookie
CookieAuthFileGroupReadable 1
}}}
The CookieAuthFile should be stored in a directory that the Tor process can write to and that you can read from. The Debian tor package already sets these for you.
Set some environment variables so that Tor Browser (the Tor Button and Tor Launcher extensions) knows how to talk to our local tor process.
{{{
export TOR_CONTROL_COOKIE_AUTH_FILE=/var/run/tor/control.authcookie
export TOR_CONTROL_PORT=9051
export TOR_SOCKS_PORT=9050
export TOR_SKIP_LAUNCH=1
}}}
=== Problems ===
It will no longer be able to make changes to your torrc, because in the system daemon tor ethos, it should not be able to edit it's own torrc So this will mean changes to bridges will be ephemeral, you should make any configuration changes to the /etc/tor/torrc file for bridges or proxy settings.
== Using an external Tor SOCKS daemon ==
=== ''Qubes, Whonix, PORTAL and other Isolating Proxies'' ===
Here we won't be able to use cookie auth as we did previously, we'll need to use a HashedControlPassword (a pre-shared secret/password), to generate one run the command:
{{{
tor --hash-password "$PASSWORD"
}}}
Where $PASSWORD is the password you've chosen as your shared secret.
This will produce output like:
{{{
16:ED8B416384FE8EA660D22C7315374363C8C64BCE01EF7F82783DE02668
}}}
add or edit the following in your torrc
{{{
SocksPort 192.168.1.1:9050 KeepAliveIsolateSOCKSAuth
ControlPort 192.168.1.1:9051
HashedControlPassword 16:ED8B416384FE8EA660D22C7315374363C8C64BCE01EF7F82783DE02668
}}}
Replacing '192.168.1.1' with the IP address of the interface that the Tor Browser client will be connecting ''to''.
Set some environment variables so that Tor Browser (the Tor Button and Tor Launcher extensions) knows how to talk to our local tor process.
{{{
export TOR_SOCKS_HOST=192.168.1.1
export TOR_SOCKS_PORT=9050
export TOR_CONTROL_HOST=192.168.1.1
export TOR_CONTROL_PORT=9051
export TOR_SKIP_LAUNCH=1
export TOR_CONTROL_PASSWD='"$PASSWORD"'
}}}
Ensure that you replace $PASSWORD with the password you hashed earlier. It ''must'' remain inside of double quotes.
=== Problems ===
Your data will traverse the connection ''before'' Torification or encryption, ensure that this connection is not shared, (eg, it is virtual and local or direct and physical and resistant to wiretapping)
== Using an upstream Tor TransProxy daemon ==
Here we again can't use cookie auth, we also will not be able to take advantage or Tor Browser 4.5's SOCKS isolation-by-domain method. I will not be providing a guide here as to how you should make your control port available through your packet filter, I highly recommend that you do otherwise you will lose the new identity functionality. This guide assumes you've already set up an upstream transproxy tor daemon.
Follow the steps for the external SOCKS daemon section above to generate a control password hash.
add or edit the following in your torrc
{{{
ControlPort 192.168.1.1:9051
HashedControlPassword 16:ED8B416384FE8EA660D22C7315374363C8C64BCE01EF7F82783DE02668
}}}
Set some environment variables so that Tor Browser (the Tor Button and Tor Launcher extensions) knows how to talk to our local tor process.
{{{
export TOR_CONTROL_HOST=192.168.1.1
export TOR_CONTROL_PORT=9051
export TOR_SKIP_LAUNCH=1
export TOR_TRANSPROXY=1
export TOR_CONTROL_PASSWD='"$PASSWORD"'
}}}
Ensure that you replace $PASSWORD with the password you hashed earlier. It ''must'' remain inside of double quotes.
=== Problems ===
Lacking some of the context-aware isolation that the SOCKS method can provide this is certainly not the favored option, without the control port this becomes far more apparent as it wouldn't be able to send the NEWNYM signal to the remote Tor instance to force it to use new circuits for future connections.