How to set up a local proxy. Proxy settings when using TOR browser and Vidalia
What if you want to go to the network without far-fetched restrictions, but do not want to replace the proxy every time in the browser? What if you want to visit both banned sites and regular ones, and at the same time, the speed at which regular sites open does not suffer? What if you're interested in knowing what's going on in remote parts global network?
Based on these considerations, we need to:
- Normal sites opened as usual
- Forbidden sites opened through Tor without settings
- All sites in the .onion zone also open without settings
On the one hand, the requirements are contradictory. On the other hand, what can you not do for the sake of convenience!
One could recall various ways and means to bypass DPI, but if you don’t want to think about anything like that, but rather you even want to set it up and forget it, then there are no analogues of Tor for solving the task in terms of easy access to blocked sites.
You won't get complete anonymity by following these instructions alone. Anonymity without OPSEC measures is not possible. Instructions imply only circumvention of restrictions.
What we need?
To begin with, we need either a router or a server that acts as a transparent bridge that passes all traffic through itself. It could be an existing server, it could be a Raspberry Pi box. Ordinary compact routers with Linux can also work, if in principle you can put the necessary packages on them.
If you already have a suitable router, then you do not need to configure the bridge separately and you can.
If installing Tor on your router is a problem, then you will need any computer with two network interfaces and Debian Linux on board. You will eventually connect it to the network gap between the router, which looks in external world, and your local network.
If not to servers and routers, then maybe.
Let's set up the bridge
Setting up a bridge on Debian is not a problem. You will need the brctl program, which is in the bridge-utils package:
apt install bridge-utils
The permanent configuration for the bridge is set in /etc/network/interfaces . If you are making a bridge from interfaces eth0 and eth1 , then the configuration will look like this:
# Mark interfaces as manually configurable iface eth0 inet manual iface eth1 inet manual # Bridge comes up automatically after reboot auto br0 # Bridge with DHCP IP acquisition iface br0 inet dhcp bridge_ports eth0 eth1 # Bridge with static IP iface br0 inet static bridge_ports eth0 eth1 address 192.168 .1.2 netmask 255.255.255.0 gateway 192.168.1.1
You need to choose one configuration for the bridge: with a dynamic IP or a static one.
Please note that at this stage it is not necessary to include the server in a network break. You can get by with one connected interface.
Let's ask the system to apply the new settings:
service networking reload
Now you can check the existence of the bridge with the brctl show command:
# brctl show bridge name bridge id STP enabled interfaces br0 8000.0011cc4433ff no eth0 eth1
You can view the issued IP address, and generally check the fact that an IP was issued via DHCP or statically, using the ip command:
# ip --family inet addr show dev br0 scope global 4: br0:
If everything is in order with IP addresses, then you can already try to include the server in a network break...
After all, all devices on your network, when enabled through the server, must have full access to the global network as if there is no server between them and the external router. The same applies to the operation of DHCP and other things. These are all worth checking before moving on to setting up Tor.
If something does not work the same as before, or does not work at all, you should first solve the problems, only then move on to setting up Tor itself.
Set up the Tor daemon
Installing Tor is done normally. Let's also install the country binding database:
apt install tor tor-geoipdb
At the end of the /etc/tor/torrc configuration file, you need to add directives to enable the proxy server function:
VirtualAddrNetworkIPv4 10.0.0.0/8 AutomapHostsOnResolve 1 TransPort 0.0.0.0:9040 DNSPort 0.0.0.0:5300
Let's restart Tor and check that the DNS in our configuration works on some known site:
# service tor restart # dig +short facebookcorewwwi.onion @localhost -p 5300 10.11.127.156
The last command should output the IP from the 10.0.0.0/8 subnet.
When restarting, Tor in the case swears at using a public IP for TransPort and DNSPort , which in fact can be accessed by outsiders. Let's fix this misunderstanding by allowing only connections from local network(in my case it is 192.168.1.0/24):
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 9040 -j ACCEPT -dport 9040 -j DROP iptables -A INPUT -p udp --dport 5300 -j DROP
The last two rules can be skipped if you have the default DROP rule for the INPUT chain.
Set up access for the entire local network
In order for all devices on the network to be able to access sites in Tor, we need to forward all requests to the dedicated network 10.0.0.0/8 to the port of the built-in Tor proxy server:
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.0/8 -j REDIRECT --to-port 9040 iptables -t nat -A OUTPUT -p tcp -d 10.0.0.0/8 -j REDIRECT --to- port 9040
We add two rules for the PREROUTING and OUTPUT chains so that the scheme works not only from devices on the network, but also from the server itself. If this scheme is not required to work from the server itself, then adding the rule to the OUTPUT chain can be skipped.
Forwarding DNS queries to the .onion zone
This problem could be solved either by replacing the DNS server with your own in DHCP responses to clients, or, if it is not customary to use a local DNS server on your network, by intercepting all DNS traffic. In the second case, you will not need to configure anything at all, but all your clients, including you, will lose the ability to make arbitrary requests to arbitrary servers. This is an obvious inconvenience.
We will only forward DNS requests that mention the.onion domain to the built-in DNS server port, leaving all other requests alone:
iptables -t nat -A PREROUTING -p udp --dport 53 -m string \ --hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5300 iptables -t nat -A OUTPUT -p udp --dport 53 -m string \ --hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5300
The magic string 056f6e696f6e00 is related to the peculiarities of passing a dot in DNS queries: it is transmitted as the length of the line following it. This is why our magic string starts with 0x05 for the five characters in the word onion . At the end of the string is the null byte 0x00 because the root domain (point) has zero length .
This approach allows your users (and yourself) to use whatever DNS servers are convenient for them, as well as request information from any DNS servers without intermediaries. However, no requests in the .onion zone will reach the open Internet.
Now try to reach some popular site on the Tor network from any device on the local network. For example, like this:
$ curl -I facebookcorewwwi.onion HTTP/1.1 301 Moved Permanently Location: https://facebookcorewwwi.onion/
Debugging and troubleshooting
If you want to make sure that no DNS requests to .onion go beyond the server, then their absence can be checked like this:
ngrep -q -d br0 -q -W byline onion udp port 53
Normally, this command, executed on the server, should show no packages at all - that is, output nothing that you do not.
If Firefox doesn't see .onion
If this bothers you, and the prospect of accidental deanonymization does not bother you (because we no longer allow DNS queries to .onion on the open Internet), you can disable this setting in about:config using the key network.dns.blockDotOnion .
Mobile Safari and .onion
iOS apps, including Safari and Chrome, basically ignore .onion when used this way. I do not know how to fix this problem within the framework of such a scheme.
Provider replaces IP in DNS
Some providers, for economic reasons, instead of blocking sites by IP or through DPI, only substitute IP for DNS requests according to the list of banned sites.
The simplest solution to this problem would be to switch to the Google Public DNS servers. If this does not help, which means that your provider redirects all DNS traffic to its server in general, then you can switch to using Tor DNS, in turn redirecting all traffic to it:
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 5300 iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5300
My network uses IPs from 10.0.0.0/8
No problem! In all directives above, use some other subnet from the ones provided for this, excluding the reserved ones. Seriously, pay attention to the reserved ones.
In addition, it is not necessary to use the entire range at once - you can limit yourself to a subnet. For example, 10.192.0.0/10 will do.
Bypass blocking via Tor
To access blocked sites through Tor, you first need to make sure that you do not change the needle for soap, using exit nodes subject to the same restrictions as you due to geographic location. This can be done by specifying in torrc the output nodes in which countries cannot be used.
ExcludeExitNodes (RU), (UA), (BY)
Updating the registry
The registry does not stand still and the list of blocked sites is replenished. Therefore, you need to download the actual list of IPs from time to time and add it to ipset . The best way to do this is not to download the entire list each time, but to download only the changes, for example, from here on GitHub .
#!/bin/bash set -e mkdir -p /var/local/blacklist cd /var/local/blacklist git pull -q || git clone https://github.com/zapret-info/z-i.git . ipset flush blacklist tail +2 dump.csv | cut -f1 -d \; | grep-Eo "{1,3}\.{1,3}\.{1,3}\.{1,3}" | tee /var/local/blacklist/blacklist.txt | xargs -n1 ipset add blacklist
It is possible to remove and add only IPs that have changed in the list, for which you may need git whatchanged .
If the script above suits you, then it should be in /etc/cron.daily/blacklist-update . Don't forget to give this file execute permissions.
chmod +x /etc/cron.daily/blacklist-update
Save settings
apt install iptables-persistent
dpkg-reconfigure iptables-persistent
Unfortunately, there is no such convenient package for ipset yet, but this problem is solved by the /etc/network/if-pre-up.d/ipset script:
#!/bin/sh ipset -exist create blacklist hash :ip cat /var/local/blacklist/blacklist.txt | xargs -n1 ipset add -exist blacklist
Be sure to give this script the right to execute:
chmod +x /etc/network/if-pre-up.d/ipset
On the next reboot, this script will be executed and restore the list of blocked IPs.
If you forget about servers...
Okay, tell me, what if I want to get all the same convenient access to .onion , but without servers - locally, on the same computer?
No problem! In this case, everything is even simpler. Stop adding these three lines to torrc:
AutomapHostsOnResolve 1 TransPort 9040 DNSPort 5300
Then these two rules for iptables:
iptables -t nat -A OUTPUT -p tcp -d 127.192.0.0/10 -j REDIRECT --to-port 9040 iptables -t nat -A OUTPUT -p udp --dport 53 -m string \ --hex-string " |056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5300
And you can check. Access to blocked sites is configured according to the instructions above.
A spoon of tar
Despite its simplicity and convenience, this approach inherits some of the shortcomings of the Tor network.
You access prohibited sites on the network on behalf of exit nodes, which gives exit node administrators the fundamental ability to observe your traffic and your passwords if the target site is not encrypted (must be https at the beginning of the address or a green padlock đź”’ in the address bar).
One would hope that the administrators of such sites would not follow you for their own good night's sleep, but...
If you access a site over an insecure connection, whether through Tor directly, you should always keep in mind that your logins and passwords basically may end up in a folder with letters on the table of a person in uniform.
That's all!
Is something still unclear? Is there anything you need to fix or is there something you particularly liked? Write below in the comments.
Many people believe that TOR is 100% private and safe way use the World Wide Web without the risk of being tracked. Is this true or just rumors? There are many ways to check, but not all sites write about it.
In fact, TOR does not solve the problems of privacy and anonymity. It has many limitations and risks that you should be aware of before you start using it.
Output nodes can be viewed
With TOR, network traffic passes through the TOR network and then through many connected relays before leaving the TOR network. The idea behind using TOR is to avoid identifying a used computer that could only connect to the first connection or act as a relay relaying encrypted traffic to other TOR nodes. If you connect via TOR to Google, then the traffic passes through many TOR relays, but eventually leaves the network and connects to Google servers. The last TOR node where traffic leaves the TOR network and enters open internet, can be viewed. It is this node where traffic leaves the TOR network that is called the output relay or output node.
Exit nodes are at much greater risk than relays that pass traffic. It is possible that the government can estimate the amount of traffic passing through exit nodes.
This problem is not contrived. When using TOR, always use encrypted HTTPS sites, especially if they contain sensitive information. Traffic can be tracked, and this can be done not only by the government, but also by criminal elements who want to gain access to someone else's information.
Plugins, JavaScript and other applications that expose IP
The TOR browser has default security settings - disable JavaScript, plug-ins that alert the browser when you try to download a file and open it in another application.
If you are trying to change your IP address, JavaScript should be avoided. The use of JavaScripts in the form of various plugins, Flash applications, etc. can lead to information leakage and, as a result, reveal your real IP.
By default, the TOR browser does not allow such problems, however, these settings can be changed, disable protection and use Javascript or plugins. Don't do this if you want to remain anonymous. On the other hand, if you don't want to remain anonymous, then you don't need to use TOR.
Don't take this lightly. The TOR browser should be left in safe mode. You should not use TOR through any other browser. Initial settings TOR browser don't need changes. You should not use other applications when using TOR.
For a long time I did not feel the need to bypass the great and terrible registry of blocked sites, but then the trouble came to me - my favorite provider made a fucking lost movie. On this occasion, today I will tell you how to set up Tor as a proxy and use it in conjunction with Chrome (the choice of browser is not critical).
I will consider two cases and start with the simpler and more common.
Setting up a proxy on a local Windows computer
If we just have a computer with Windows, then first of all we go here: https://www.torproject.org/download/download.html.en , expand the section Microsoft Windows and download Vidalia Relay Bundle. After installation and launch, the following window will appear:
We remove the daw Show this window on startup, then click the button Settings and go to tab Sharing:
Choose an option Run as client only, if we do not want to pass other people's traffic through ourselves to increase the overall speed of the tor network. OK
In the main window, click Hide to minimize the program to tray. When you restart Windows, Tor starts automatically. Let's move on to browser settings.
Browser settings on the example of Google Chrome
Let's go to settings:
On the first tab, enter the name of the proxy, for example LocalTor:
On the second tab enter:
Host IP Address: 127.0.0.1
SOCKS Proxy: tick
SOCKS v4/v4a: choose
Go to the third tab, here we will add sites that you need to go through a proxy.
Click Add new pattern. Let's add a Lostfilm.
Pattern name: LostLilm
url pattern: *lostfilm.tv*
(Ordinary masks are used for patterns, thus recording *lostfilm.tv* means all links in which the site address occurs.)
Click Save in the pattern editing window, then again - in the Proxy Settings. Now except default proxy we got our - LocalTor.
Now, when you try to access Lostfilm, foxyproxy will automatically force the browser to use our Tor and no registry is scary for us anymore.
In order to add other sites, you need to edit the created proxy - LocalTor by going to the third tab and adding new pattern.
Setting up TOR on a separate computer to proxy several home computers
This part is not for everyone, but since I have 2 computers at home and a free nettop, I decided - why not use the latter as a proxy? I deployed a virtualization platform on it inside which I made a virtual machine, but this is absolutely not important - we will assume that this is just a separate computer.
First of all, I rolled Ubuntu 14.04 there in a minimal server configuration. Then I installed the torus and additional stuff:
apt-get install tor tor-geoipdb privoxy
I backup the proxy config and create a new one
mv /etc/privoxy/config /etc/privoxy/config. backup vi /etc/privoxy/config
In config I write: |
I restart the proxy
/etc/init. d/privoxy restart
Done, now it remains to configure the browser. The setting is identical to the one already described, it differs only in the setting of the proxy itself.
Network files used to establish a connection can be infected or corrupted by viruses, preventing either the browser or the proxy from accessing the required object. Therefore, we recommend scanning and further cleaning the system of malicious files using one of the available methods.
After that, it is desirable to restore system files, because, as mentioned above, they could be damaged due to infection. This is done by one of the built-in tools of the operating system. For a detailed guide on how to complete the task, read our other material at the following link.
Method 4: Scan and fix registry errors
Most Windows OS system settings are stored in the registry. Sometimes they get damaged or start to work incorrectly due to some kind of failure. We advise you to scan your registry for errors and fix them all if possible. After restarting your computer, try reconfiguring the connection. Read more about cleaning.
A lot of time has passed. And the situation in Runet with government regulation only got worse. Many sites are massively blocked for a variety of reasons, and even simply "by mistake" (because they were on the same IP with "suspicious sites"). Therefore, various steels are in demand more than ever. Increased interest in . After our last article, readers began to receive questions about help in setting up Tor.
Questions of this nature:
1) How to work through Tor using any Internet browsers (not just a special Tor browser)?
2) How to torify any applications (for example, Skype, ICQ, etc.)
3) What should I do if my Internet Service Provider (ISP) blocks access to Tor?
We will try to answer all these questions using clear examples. For torification of all (or almost all of our Internet traffic), a standard package is not suitable for us Tor Browser Bundle , which is unpacked to a desktop or flash drive and includes Tor already configured and a special browser.
We need to install the "stationary version" into the operating system, this is the package Vidalia-bundle(it includes: Vidalia, Tor).
We install it into the system (see our article), then at the first start we will immediately set the settings for work:
Fig.1. Tor settings - "Exchange2
Fig.2. Tor Settings - "Network"
1) Now we start setting up our working browsers for anonymous work throughTor.
Setting upInternetexplorer:
In Windows 7, for this, go to the options "Control Panel - Network and Internet - Internet Options - Connections - Network Settings - Configure LAN Settings", check the box "Proxy Server" open a tab "Additionally", there we put in item 4. Socks: 127.0.0.1:9050
See screenshots (3,4,5).
Rice. 4. Proxy server
Fig.5. Socks5
Everything, our IE works through Tor.
Setting up Google Chrome:
Google Chrome should be the "default browser" in your operating system. Then see fig. 6:
Rice. 6. Proxy Settings
After you click on the button "Change proxy server settings" you will have the already familiar Internet browser settings tabs See screenshots (3,4,5). If you have done correctly previous paragraph (Setting up Internet Explorer ), then Google Chrome also works for you through the Tor network.
Setting up the browseropera:
To do this, go to "Settings - Advanced - Network - Proxy servers".
Check the box Socks: (and enter the following data there) 127.0.0.1:9050
See screenshots 7 and 8.
Setting up Mozilla browser Firefox:
For this we need Foxy Proxy Basic Plugin, which we will set in section "Extensions", see fig. 9:
Then, when the plugin is installed, select the mode "Tor proxy for all addresses"(see fig. 10)
Rice. 10. Select Tor for all addresses
and set the settings as in Fig. eleven
That's it, now there will be no more "forbidden sites" for you ...
You can check your "new" IP address through the website http://2ip.ru
When you work through the Tor network, your address will be different from the one received from the provider.
2) Torifyskype,ICQ,µTorrent:
To torify Skype, go to "Settings - Connections", select the SOCKS5 tab, enter 127.0.0.1:9050
See fig. 12:
The same settings should be made for ICQ.
For torrent client µTorrent:
We go to "Settings - Connections" and set the settings as screenshot 13:
Everything, you can safely work with torrents.
3) Well, the hardest question. What to do if the Internet Service Provider (ISP) blocks access toTor?
But for this case, we uploaded the distribution kit Vidalia Bridge Bundle (for Windows 8, 7, Vista, and XP), it is a package for accessing the Tor network through a so-called "bridge".
See screenshot 14:
Let's briefly explain how it all works.
What does the concept of "bridge repeaters" mean?
Some ISPs try to prevent users from accessing the Tor network by blocking connections to known Tor relays. Bridge relays (or bridges for short) help these blocked users access the Tor network. Unlike other Tor relays, bridges are not listed in the public directories as normal relays. Since there is no complete public list, and even if your ISP filters connections to all known Tor relays, it is unlikely that they will be able to block all bridges.
How to find bridge repeaters?
There are two main ways to find out the address of bridges:
a) Ask friends to organize private bridges for you;
B) Use public bridges.
To use private bridges, ask your friends to run Vidalia and Tor from a non-blocked area of ​​the Internet and click "Help Blocked Users" on Vidalia's "Relay Setup Page". Then they should send you the "Bridge Address" (the line at the bottom of their relay page).
Unlike the operation of a regular relay, a relay in bridge mode simply transmits and receives data from the Tor network, so you should not complain about any violations to the operator.
You can find bridges' public addresses by visiting https://bridges.torproject.org. The answers on this page change every few days, so check back periodically if you need more bridge addresses. Another way to find bridge public addresses is to send an email to [email protected]
