|
|
[[TOC(noheading, depth=1)]]
|
|
|
= Torsocks =
|
|
|
Torsocks is a torifying wrapper that is primarily used to redirect all the network traffic
|
|
|
of individual SOCKS-friendly applications through the Tor network. It also ensures DNS queries
|
|
|
are handled correctly and explicitly blocks all UDP traffic from the application in question.
|
|
|
Torsocks is the successor of tsocks and is still actively maintained. It is simply packaged as
|
|
|
'''torsocks''' and is available (and often automatically included with the '''tor''' package)
|
|
|
in many *nix based distributions.
|
|
|
|
|
|
== Download ==
|
|
|
There are [[packages]] for different distributions.
|
|
|
|
|
|
The code lives at [https://gitweb.torproject.org/torsocks.git torsocks.git], you can get a copy with
|
|
|
{{{
|
|
|
git clone https://git.torproject.org/torsocks.git
|
|
|
}}}
|
|
|
For further instructions have a look at the [https://gitweb.torproject.org/torsocks.git/tree/README.md README].
|
|
|
|
|
|
== Usage ==
|
|
|
Once you have installed torsocks, just launch it like so:
|
|
|
{{{
|
|
|
torsocks [application]
|
|
|
}}}
|
|
|
For example, you can use ssh to a some.ssh.com by doing:
|
|
|
{{{
|
|
|
torsocks ssh username @ some.ssh.com
|
|
|
}}}
|
|
|
or launch pidgin by doing:
|
|
|
{{{
|
|
|
torsocks pidgin
|
|
|
}}}
|
|
|
|
|
|
An alternative command is {{{torify}}}. It is only provided for backward compatibility, and unless it is entirely necessary, you should use {{{torsocks}}} at all times. Example:
|
|
|
{{{
|
|
|
torify pidgin
|
|
|
}}}
|
|
|
|
|
|
== Security ==
|
|
|
The tables below contains a small list of applications commonly used in conjunction with torsocks / torify. At the moment a 100% guarantee of being safe to operate with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.
|
|
|
|
|
|
The following '''administrative''' applications are known to be compatible with `torsocks`:
|
|
|
|
|
|
|| '''Application''' || '''100% Safe'''|| '''DNS'''|| '''Comments''' ||
|
|
|
|| `ssh` || M || Y || Potential for identity leaks through login. ||
|
|
|
|| `telnet` || M || Y || Potential for identity leaks through login and password. ||
|
|
|
|| `svn` || M || Y || ||
|
|
|
|| `gpg` || Y || Y || GPG implemented `--use-tor`. See [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/GnuPG GnuPG]. ||
|
|
|
|
|
|
The following '''messaging''' applications are known to be compatible with `torsocks`:
|
|
|
|
|
|
|| '''Application''' || '''100% Safe'''|| '''DNS''' || '''Comments''' ||
|
|
|
|| `pidgin` || M || Y || Potential for identity leaks through login and password. ||
|
|
|
|| `kopete` || M || Y || Potential for identity leaks through login and password. ||
|
|
|
|| `konversation` || M || Y || Potential for identity leaks through login and password. ||
|
|
|
|| `irssi` || M || Y || Potential for identity leaks through login and password. ||
|
|
|
|| `silc` || M || Y || Potential for identity leaks through login and password. ||
|
|
|
|
|
|
The following '''email''' applications are known to be compatible with `torsocks`:
|
|
|
|
|
|
|| '''Application''' || '''100% Safe'''|| '''DNS''' || '''Comments''' ||
|
|
|
|| `claws-mail` || * || * || Use [https://trac.torproject.org/projects/tor/wiki/torbirdy TorBirdy] (Tor Button for Thunderbird) instead! ||
|
|
|
|| `thunderbird` || '''*''' || * || Use [https://trac.torproject.org/projects/tor/wiki/torbirdy TorBirdy] (Tor Button for Thunderbird) instead! ||
|
|
|
|
|
|
The following '''file transfer''' applications are known to be compatible with `torsocks`:
|
|
|
|
|
|
|| '''Application''' || '''100% Safe''' || '''DNS''' || '''Comments''' ||
|
|
|
|| `wget` || '''M''' || '''Y''' || Possibility of identity leaks through http headers. ||
|
|
|
|| `ftp` || M || Y || Passive mode works well generally. ||
|
|
|
|
|
|
'''Table legend''':
|
|
|
{{{
|
|
|
DNS: DNS requests safe for Tor?
|
|
|
N - The application is known to leak DNS requests when used with torsocks.
|
|
|
Y - Testing has shown that application does not leak DNS requests.
|
|
|
100% Safe: Fully verified to have no interoperability issues with Tor?
|
|
|
N - Anonymity issues suspected, see comments column.
|
|
|
M - Safe enough in theory, but either not fully researched or anonymity can be compromised
|
|
|
through indiscreet use (e.g. email address, login, passwords).
|
|
|
Y - Application has been researched and documented to be safe with Tor.
|
|
|
}}}
|
|
|
[[br]]
|
|
|
= Older Information =
|
|
|
|
|
|
'''WARNING:''' The information below is heavily depreciated and it is highly advised to not follow it.
|
|
|
== uwt - modified torsocks to improve Tor stream isolation ==
|
|
|
This is a modified torsocks to support setting proxy type, ip and port by command line parameter to prevent identity correlation through circuit sharing.
|
|
|
|
|
|
Written by Whonix developer proper/adrelanos. The Tails developers contributed feedback and a patch.
|
|
|
|
|
|
*nix only, because torsocks/torify is not available for Windows.^1^ [[BR]]
|
|
|
,,
|
|
|
^1^ Perhaps a modified proxychains might work. Modified a similar way.
|
|
|
|
|
|
== Additional SocksPorts ==
|
|
|
You need to add additional SocksPorts to your torrc.
|
|
|
|
|
|
Add to /etc/tor/torrc.
|
|
|
{{{
|
|
|
SocksPort 9052
|
|
|
SocksPort 9053
|
|
|
}}}
|
|
|
Don't forget to restart Tor.
|
|
|
|
|
|
== uwt ==
|
|
|
uwt, the torsocks wrapper. (It's a fork of torsocks from the torsocks package.)
|
|
|
|
|
|
{{{
|
|
|
nano /usr/local/bin/uwt
|
|
|
}}}
|
|
|
|
|
|
UPDATE 17
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
<h1 style="text-align: left; color: red">
|
|
|
Applies to non-Whonix users. Some versions prior UPDATE 15 were affected by a security issue. If you command included localhost or 127.0.0.1 it leaked.
|
|
|
</h1>
|
|
|
}}}
|
|
|
Thanks to intrigeri for reporting the issue!
|
|
|
|
|
|
Moved to github.
|
|
|
{{{
|
|
|
https://github.com/Whonix/uwt/blob/master/usr/bin/uwt
|
|
|
}}}
|
|
|
|
|
|
== Manual use ==
|
|
|
Example for manual usage invoked by command line.
|
|
|
{{{
|
|
|
uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/wget -c https://check.torproject.org
|
|
|
}}}
|
|
|
|
|
|
{{{
|
|
|
sudo uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/apt-get --yes dist-upgrade
|
|
|
}}}
|
|
|
|
|
|
== Wrapper use ==
|
|
|
For example, if you wish enforce the proxy settings without entering such a long command every time, you can use a wrapper, . The wrapper has to be placed in PATH ('echo $PATH') before the real executable.
|
|
|
|
|
|
{{{
|
|
|
nano /usr/local/bin/wget
|
|
|
}}}
|
|
|
|
|
|
Insert the following.
|
|
|
{{{
|
|
|
#!/bin/bash
|
|
|
#echo "This is uwt /usr/local/bin/wget wrapper."
|
|
|
/usr/local/bin/uwt -t 5 -i 192.168.0.10 -p 9109 /usr/bin/wget $*
|
|
|
}}}
|
|
|
|
|
|
In this example, if you want to use wget, you don't have to type 'uwt -t 5 -i 192.168.0.10 -p 9109 -c "/usr/bin/wget -c https://check.torproject.org"', you can simply use 'wget -c https://check.torproject.org'. The wrapper calls uwt and uwt calls torsocks. Your request will be routed through socks5, IP 192.168.0.10, port 9109.
|
|
|
|
|
|
Thanks to intrigeri, for bringing up this suggestion!
|
|
|
|
|
|
== Related discussion ==
|
|
|
* [https://lists.torproject.org/pipermail/tor-talk/2012-June/024497.html tor-talk How to force redirect each application through separate SocksPorts? (preventing identity correlation)]
|
|
|
* [https://mailman.boum.org/pipermail/tails-dev/2012-June/001268.html Tails-dev Tails's plans for Tor's stream isolation in Tor 0.2.3?]
|
|
|
* [https://sourceforge.net/tracker/?func=detail&aid=3541363&group_id=11118&atid=361118 Privoxy feature request: support IsolateSOCKSAuth (preventing identity correlation) - ID: 3541363]
|
|
|
* [https://mailman.boum.org/pipermail/tails-dev/2012-September/001575.html tails-dev bug reports, test and discussion]
|
|
|
|
|
|
== Workaround for IPv6 leak bug ==
|
|
|
|
|
|
As long as this bug https://code.google.com/p/torsocks/issues/detail?id=37 isn't fixed...
|
|
|
|
|
|
If you on a IPv6 enabled network and use usewithtor <some-IPv6-aware-application>, then IPv6 traffic will be send in the clear, thus de-anonymzing you.
|
|
|
|
|
|
Workaround: Add to /etc/sysctl.conf.
|
|
|
{{{
|
|
|
net.ipv6.conf.all.disable_ipv6 = 1
|
|
|
}}}
|
|
|
|
|
|
Run
|
|
|
{{{
|
|
|
sysctl -p
|
|
|
}}}
|
|
|
to activate. (Will remain activated after reboot.)
|
|
|
|
|
|
Of course you can and should only apply this workaround if you don't depend on IPv6.
|
|
|
|
|
|
[[br]]
|
|
|
= Tickets =
|
|
|
== Torsocks ==
|
|
|
[[TicketQuery(component=Core Tor/Torsocks,order=status,status=!closed,format=table,col=id|summary|status|priority|keywords|owner|)]]
|
|
|
|
|
|
= History =
|
|
|
Moved to [https://trac.torproject.org/projects/tor/wiki/doc/torsocks/History torsocks/History]. |
|
|
\ No newline at end of file |