Tor configuration

See

?Tor is used in the ?Freedombuddy system.

Packages

The folowing packages are required for this recipe:

Configuration

Default configuration in Debian is already pretty straightforward. However, enabling some more of them can be interesting.

Tor

To enable the internal Tor resolver:

DNSPort 8853
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

We might want to permit access to the socks proxy.

TransPort 9040
TransListenAddress 127.0.0.1

We can also enable the control port, so that commands (like NEWNYM to build new circuits) can be passed to Tor

ControlPort 9051

Polipo

This configuration might be changed if we consider that the polipo proxy should be offered to clients on the local network.

proxyAddress = "127.0.0.1"
proxyPort = 8118

socksParentProxy = "localhost:9050"
socksProxyType = socks5

proxyName = "localhost"

cacheIsShared = false

diskCacheRoot = ""
localDocumentRoot = ""

disableVia = true

dnsUseGethostbyname = yes

disableLocalInterface = true
disableConfiguration = true

censoredHeaders = from,accept-language,x-pad,link
censorReferer = maybe

maxConnectionAge = 5m
maxConnectionRequests = 120
serverMaxSlots = 8
serverSlots = 2
tunnelAllowedPorts = 1-65535

DNS

Torifying the traffic makes little sense if an ISP is still able to monitor its users activities through the dns requests. Even using something like opendns still reveal in clear text what website/host you are connecting to.

It it then important to torify the DNS requests themselves.

Tor offers a resolver that can be define in the DNSPort option. However, this resolver can only answer to A request. In addition, Tor doesn't support UDP, which makes DNS forwarding through a bit more complicatd to setup. To have a full DNS resolution, the freedombox would have to use some additional softwares:

Resolvconf

Using resolvconf ensure that the resolv.conf file doesn't get changed. Pointing to the right DNS resolver can be done by dropping a file named base in /etc/resolv.conf/resolv.conf.d/ containing

nameserver 127.0.0.1

Pdnsd

Pdnsd is usefull for as it is able to do cache, and to define rules to use a given DNS server depending on the request. Here's the relevant config:

global {
    perm_cache = 2048;
    cache_dir = "/var/cache/pdnsd";
    run_as = "pdnsd";
    server_ip = 127.0.0.1;          
    status_ctl = on;
    min_ttl = 15m;
    max_ttl = 1w;
    timeout = 120;
}

# Tor DNS resolver
server {
    label = "tor";
    ip = 127.0.0.1;
    port = 8853;
    uptest = none;
    exclude=".invalid";
    policy=included;
    proxy_only = on;
    lean_query = on;
}                                                                                                                                      
# ttdnsd
server {
    label = "ttdnsd";
    ip = 127.0.0.2;
    port = 53;
    uptest = none;
    exclude=".invalid",".exit",".onion";
    policy=included;
    proxy_only = on;
    lean_query = on;
}

Ttdnsd

Finally ttdnsd is the one that will resolv queries that pdnsd won't be able to resolv through the Tor resolver. In /etc/defaults/ttdnsd:

ADDR_ARG="-b 127.0.0.2"
PORT_ARG="-p 53"


CategoryFreedomBox