Tor configuration

See

?Tor is used in the ?Freedombuddy system.

Current Configuration

Required Packages

torrc

Note that the transparent proxy ports are enabled here, for future use. But we don't actually do transparent proxying of client traffic yet.

# Run as non-exit bridge relay
SocksPort [::]:9050
SocksPort 0.0.0.0:9050
ORPort auto
ControlPort 9051
BridgeRelay 1
Exitpolicy reject *:*
Exitpolicy reject6 *:*

# Enable obfsproxy
ServerTransportPlugin obfs3,scramblesuit exec /usr/bin/obfsproxy managed
ExtORPort auto

# Enable transparent proxy
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 127.0.0.1:9040
TransPort [::1]:9040
DNSPort 127.0.0.1:9053
DNSPort [::1]:9053

Hidden Service

When Tor Hidden Service is enabled through Plinth, the following lines are added to /etc/tor/torrc:

# Hidden Service configured by Plinth
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 443 127.0.0.1:443
# end of Plinth Hidden Service config

Proposed Configurations

Packages

The folowing packages are required for this recipe:

Configuration

Default configuration in Debian is already pretty straightforward. However, enabling some more of them can be interesting.

Tor

To enable the internal Tor resolver:

DNSPort 8853
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

We might want to permit access to the socks proxy.

TransPort 9040
TransListenAddress 127.0.0.1

We can also enable the control port, so that commands (like NEWNYM to build new circuits) can be passed to Tor

ControlPort 9051

Polipo

This configuration might be changed if we consider that the polipo proxy should be offered to clients on the local network.

proxyAddress = "127.0.0.1"
proxyPort = 8118

socksParentProxy = "localhost:9050"
socksProxyType = socks5

proxyName = "localhost"

cacheIsShared = false

diskCacheRoot = ""
localDocumentRoot = ""

disableVia = true

dnsUseGethostbyname = yes

disableLocalInterface = true
disableConfiguration = true

censoredHeaders = from,accept-language,x-pad,link
censorReferer = maybe

maxConnectionAge = 5m
maxConnectionRequests = 120
serverMaxSlots = 8
serverSlots = 2
tunnelAllowedPorts = 1-65535

DNS

Torifying the traffic makes little sense if an ISP is still able to monitor its users activities through the dns requests. Even using something like opendns still reveal in clear text what website/host you are connecting to.

It it then important to torify the DNS requests themselves.

Tor offers a resolver that can be define in the DNSPort option. However, this resolver can only answer to A request. In addition, Tor doesn't support UDP, which makes DNS forwarding through a bit more complicatd to setup. To have a full DNS resolution, the freedombox would have to use some additional softwares:

Resolvconf

Using resolvconf ensure that the resolv.conf file doesn't get changed. Pointing to the right DNS resolver can be done by dropping a file named base in /etc/resolv.conf/resolv.conf.d/ containing

nameserver 127.0.0.1

Pdnsd

Pdnsd is usefull for as it is able to do cache, and to define rules to use a given DNS server depending on the request. Here's the relevant config:

global {
    perm_cache = 2048;
    cache_dir = "/var/cache/pdnsd";
    run_as = "pdnsd";
    server_ip = 127.0.0.1;          
    status_ctl = on;
    min_ttl = 15m;
    max_ttl = 1w;
    timeout = 120;
}

# Tor DNS resolver
server {
    label = "tor";
    ip = 127.0.0.1;
    port = 8853;
    uptest = none;
    exclude=".invalid";
    policy=included;
    proxy_only = on;
    lean_query = on;
}                                                                                                                                      
# ttdnsd
server {
    label = "ttdnsd";
    ip = 127.0.0.2;
    port = 53;
    uptest = none;
    exclude=".invalid",".exit",".onion";
    policy=included;
    proxy_only = on;
    lean_query = on;
}

Ttdnsd

Finally ttdnsd is the one that will resolv queries that pdnsd won't be able to resolv through the Tor resolver. In /etc/defaults/ttdnsd:

ADDR_ARG="-b 127.0.0.2"
PORT_ARG="-p 53"


Information

Support

Work Space

Reports

Promote

Overview

Hardware

Live Help

Where To Start

Translate

Calls

Talks

Features

Vision

Q&A

Design

Snippets

Metrics

Press

Download

Manual

Use cases

Code

Contributors

Releases

Blog

HELP & DISCUSSIONS: Mailing List - #freedombox irc.debian.org | CONTACT Foundation | JOIN Alioth Projects, GitHub

Next call: Social Hacks: Saturday, August 13th, 2016, 14:00 UTC

Last news: New Wiki License To Be Effective on June 13th - 2016-05-31


CategoryFreedomBox