Tor transparent proxy on Linux: a simple implementation

The starting idea comes from a colleague that asked me: “Is it possibile routing all system traffic thougth TOR, using it as a sort of VPN?”.

Yes, It’s possible, using a specific feature of Tor.

Tor has support for transparent proxy connections in addition to SOCKS connections.
Using operating system’s packet filtering system is possible to redirect all outbound connections into a transparent proxy.

Please note: this is not a best practice.

TL;DR: Simply use TorBrowser.

When you take your whole operating system and stick it behind transparent proxying, everything goes over Tor using, by default, the same circuit.
Operating system updates, emails, web browsing, and fetching information about media you play will all share the same circuit, so the exit node could connect all of these things together and link them to a single entity: things intended to be anonymous could be linked to things which reveal your identity or used as a fingerprint that an observer watching Exit traffic could piece together.

So, consider this script as a simple exercise, not privacy-focused.

The purpose of this ‘exercise’ is to create a script that allows semi-automatically to configure the system to route all output connections made by the current user through TOR.

Based on this tutorial, the script (that need to be started as root: also this not a best practice!) creates a custom torrc file with this options:

VirtualAddrNetworkIPv4 10.192.0.0/10 
AutomapHostsOnResolve 1
TransPort 192.168.1.1:9040
DNSPort 192.168.1.1:5353

that enable a transparent proxy port and a DNS relay on TOR.

Then kills other tor processes and start a brand-new session with custom torrc.

The next step is the configuration of firewalls rules, that first forward all dns request to the DNS relay port, then route all traffic throught the transparent proxy port opened by tor.

This rules are configured for all system users except for root user (that starts the script and conseguently the tor process).

Once the iptables configuration is complete, the script waits for a keypressing for starting deactivation process: a simple flush of iptables rules and a restore of previous configuration, and a brief cleanup of support files.


References


Related posts

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.