Tor configuration


?Tor is used in the ?Freedombuddy system.

Current Configuration

Required Packages


Note that the transparent proxy ports are enabled here, for future use. But we don't actually do transparent proxying of client traffic yet.

# Run as non-exit bridge relay
SocksPort [::]:9050
ORPort auto
ControlPort 9051
BridgeRelay 1
Exitpolicy reject *:*
Exitpolicy reject6 *:*

# Enable obfsproxy
ServerTransportPlugin obfs3,scramblesuit exec /usr/bin/obfsproxy managed
ExtORPort auto

# Enable transparent proxy
AutomapHostsOnResolve 1
TransPort [::1]:9040
DNSPort [::1]:9053

Hidden Service

When Tor Hidden Service is enabled through Plinth, the following lines are added to /etc/tor/torrc:

# Hidden Service configured by Plinth
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80
HiddenServicePort 443
# end of Plinth Hidden Service config

Proposed Configurations


The folowing packages are required for this recipe:


Default configuration in Debian is already pretty straightforward. However, enabling some more of them can be interesting.


To enable the internal Tor resolver:

DNSPort 8853
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

We might want to permit access to the socks proxy.

TransPort 9040

We can also enable the control port, so that commands (like NEWNYM to build new circuits) can be passed to Tor

ControlPort 9051


This configuration might be changed if we consider that the polipo proxy should be offered to clients on the local network.

proxyAddress = ""
proxyPort = 8118

socksParentProxy = "localhost:9050"
socksProxyType = socks5

proxyName = "localhost"

cacheIsShared = false

diskCacheRoot = ""
localDocumentRoot = ""

disableVia = true

dnsUseGethostbyname = yes

disableLocalInterface = true
disableConfiguration = true

censoredHeaders = from,accept-language,x-pad,link
censorReferer = maybe

maxConnectionAge = 5m
maxConnectionRequests = 120
serverMaxSlots = 8
serverSlots = 2
tunnelAllowedPorts = 1-65535


Torifying the traffic makes little sense if an ISP is still able to monitor its users activities through the dns requests. Even using something like opendns still reveal in clear text what website/host you are connecting to.

It it then important to torify the DNS requests themselves.

Tor offers a resolver that can be define in the DNSPort option. However, this resolver can only answer to A request. In addition, Tor doesn't support UDP, which makes DNS forwarding through a bit more complicatd to setup. To have a full DNS resolution, the freedombox would have to use some additional softwares:


Using resolvconf ensure that the resolv.conf file doesn't get changed. Pointing to the right DNS resolver can be done by dropping a file named base in /etc/resolv.conf/resolv.conf.d/ containing



Pdnsd is usefull for as it is able to do cache, and to define rules to use a given DNS server depending on the request. Here's the relevant config:

global {
    perm_cache = 2048;
    cache_dir = "/var/cache/pdnsd";
    run_as = "pdnsd";
    server_ip =;          
    status_ctl = on;
    min_ttl = 15m;
    max_ttl = 1w;
    timeout = 120;

# Tor DNS resolver
server {
    label = "tor";
    ip =;
    port = 8853;
    uptest = none;
    proxy_only = on;
    lean_query = on;
# ttdnsd
server {
    label = "ttdnsd";
    ip =;
    port = 53;
    uptest = none;
    proxy_only = on;
    lean_query = on;


Finally ttdnsd is the one that will resolv queries that pdnsd won't be able to resolv through the Tor resolver. In /etc/defaults/ttdnsd:

PORT_ARG="-p 53"