How to Protect your Internet Anonymity and Privacy/TOR VPN
TOR only published instructions for the VPN mode in Linux, which is called transparent proxy, routing all network traffic via TOR transparently.
It is not advised to use Vidalia as it does not have sufficient system privileged by default. First install TOR use one of the several distribution specific ways. By default, TOR runs as daemon and has root privilege.
In Ubuntu for example, add the following lines to /etc/tor/torrc:
- VirtualAddrNetwork 10.192.0.0/10
- AutomapHostsOnResolve 1
- TransPort 9040
- DNSPort 53
This will instruct TOR to forward redirected traffic at port 9040, and forward domain name server requests at port 53. TOR will fail if it has insufficient privilege for the DNS port. You can use any existing DNS server by omitting the DNSPort line, but this is not as secure as TOR.
To redirect all the applications' network traffic, there is the Linux firewall iptables:
- sudo iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp -j REDIRECT --to-ports 9040
- sudo iptables -t nat -A OUTPUT -p udp -m owner --uid-owner bob -m udp --dport 53 -j REDIRECT --to-ports 53
- sudo iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp --dport 9040 -j ACCEPT
- sudo iptables -t filter -A OUTPUT -p udp -m owner --uid-owner bob -m udp --dport 53 -j ACCEPT
- sudo iptables -t filter -A OUTPUT -m owner --uid-owner bob -j DROP
This will work unless you have a very old Linux distribution. Only the first command is necessary to test the VPN functionality, redirecting all network traffic to port 9040, where TOR is listening. The redirection ONLY applies to user named bob. Once redirected, you need to restart TOR:
- /etc/init.d/tor restart
You can then login in as bob and fire up the browser for example, and check your external IP at any of the many proxy test sites.
User bob can be yourself. In this case you need to reset iptables to the previous state when you don't need TOR VPN. The other way is to login in as a different user whenever you need TOR VPN, where the redirection is setup to be "permanent".
Redirection of DNS port 53 is optional, but more secure. Even observers at your ISP will not know what websites you visited. The other firewall rules block other traffic to prevent leaking.
The rules can be stored in a shell script and executed whenever TOR VPN is needed. The default firewall rules will apply after system reboot. To setup a user with TOR VPN always on, copy the above script to (for Ubuntu):
- /etc/init.d/bobsvpn
To further prevent DNS leak, in Ubuntu, you need to change the file content at /etc/resolvconf/run/resovl.conf to
- nameserver 127.0.0.1
This will force ALL users to use TOR as the DNS server. After changing network settings, sometimes you need to refresh the network interface:
- sudo ifdown -a
- sudo ifup -a
Naturally TOR DNS will be slower and you will want to keep the original resolv.conf file when not using TOR.
The firewall rules cannot be undone directly. To avoid system reboot, you can store the firewall state before using TOR:
- sudo iptables-save > rulefile
and restore the rules after using TOR:
- sudo iptables-restore < rulefile
It is possible to grant privilege to users who cannot become superuser, and to grant scripts superuser privilege without asking for password. You can only edit the config file by:
- sudo visudo
If you make any mistakes, you may have to reboot in recovery mode, as root, to correct it. Safe scripts can be given the permission not to ask for su password by adding the line:
- bob ALL = NOPASSWD:/home/bob/bin/scriptX, /usr/bin/scriptY